mhoye3d ago
Infosec Lazyweb, a real question: is it actually safe to plug a random usb peripheral into a win10 machine, assuming I’m not interesting to a nation-state? Or is that (still) the fast path to bad pain, even assuming zero user interaction.
Show threadcubeos3d ago
@mhoye Random USB devices can pretend to be keyboards and Win10 by default accepts e.g. keypresses or mouse movements from new USB devices. Win-R invokes the Run command, so it's trivial to run some shell code.
Show threadViolet/Multi3d ago
@cubeos @mhoye Echoing this. Rubber duckies are inexpensive (we're talking about "esp 32 on a widely produced circuit board" here, ~15$), can do anything mouse+keyboard can and look like real USB sticks.
Show threadcubeos
@multisn8 @mhoye attiny85 such as digispark are even cheaper, something like 2 Euro. That's my goto demo device to illustrate the problem, you can program them using the Arduino IDE.
Mar 25 at 6:19pmWeb