USBlock: Blocking USB-Based Keypress Injection Attacks

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10980)


The Universal Serial Bus (USB) is becoming a prevalent attack vector. Rubber Ducky and BadUSB are two recent classes of a whole spectrum of attacks carried out using fully-automated keypress injections through innocent-looking USB devices. So far, defense mechanisms are insufficient and rely on user participation in the trust decision.

We propose USBlock, a novel approach to detect suspicious USB devices by analyzing the temporal characteristics of the USB packet traffic they generate, similarly to intrusion detection approaches in networked systems.

Our approach is unique in that it does not to involve at all the user in the trust decision. We describe a proof-of-concept implementation for Linux and we assess the effectiveness and efficiency of our approach to cope with temporal variations in typing habits and dynamics of legitimate users.


Security USB BadUSB Linux kernel System security 



This research was supported by the Austrian Research Promotion Agency (FFG) through the BRIDGE 1 grant P846070 (SpeedFor) and the COMET K1-Centres programme line (SBA2). S. Neuner was also supported by the Austrian Marshall Plan Foundation through a Marshall Plan Scholarship. We thank Prof. E. Kirda and W. Robertson for their valuable support during the early stages of this research as well as the participants in the typing experiments.


  1. 1.
    Anderson, B., Anderson, B.: Seven Deadliest USB Attacks. Syngress, Maryland Heights (2010)Google Scholar
  2. 2.
    Angel, S., Wahby, R.S., Howald, M., Leners, J.B., Spilo, M., Sun, Z., Blumberg, A.J., Walfish, M.: Defending against malicious peripherals with Cinch. In: USENIX Security Symposium (2016)Google Scholar
  3. 3.
    Dingledine, R., Mathewson, N.: Anonymity loves company: usability and the network effect. In: Workshop on the Economics of Information Security (WEIS) (2006)Google Scholar
  4. 4.
    Fidas, C., Voyiatzis, A., Avouris, N.: When security meets usability: a user-centric approach on a crossroads priority problem. In: 14th Panhellenic Conference on Informatics (PCI 2010), Tripoli, Greece, 10–12 September 2010 (2010)Google Scholar
  5. 5.
    Griscioli, F., Pizzonia, M., Sacchetti, M.: USBCheckIn: preventing BadUSB attacks by forcing human-device interaction. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 493–496. IEEE (2016)Google Scholar
  6. 6.
    Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y., Elovici, Y.: GSMem: data exfiltration from air-gapped computers over GSM frequencies. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 849–864 (2015)Google Scholar
  7. 7.
    Han, S., Shin, W., Kang, J., Park, J.H., Kim, H., Park, E., Ryou, J.C.: IRON-HID: create your own bad USB (white paper). In: HITBSecConf 2016 - Amsterdam. The 7th Annual HITB Security Conference in the Netherlands (2016)Google Scholar
  8. 8.
    Johnson, P., Bratus, S., Smith, S.: Protecting against malicious bits on the wire: automatically generating a USB protocol parser for a production kernel. In: Proceedings of the 33rd Annual Computer Security Applications Conference, Orlando, FL, USA, 4–8 December 2017, pp. 528–541. ACM (2017)Google Scholar
  9. 9.
    Kang, M.: USBWall: a novel security mechanism to protect against maliciously reprogrammed USB devices. Master’s thesis, University of Kansas (2015)Google Scholar
  10. 10.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. Secur. Priv. IEEE 9(3), 49–51 (2011)CrossRefGoogle Scholar
  11. 11.
    Loe, E.L., Hsiao, H.C., Kim, T.H.J., Lee, S.C., Cheng, S.M.: SandUSB: an installation-free sandbox for USB peripherals. In: 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), pp. 621–626. IEEE (2016)Google Scholar
  12. 12.
    Neugschwandtner, M., Beitler, A., Kurmus, A.: A transparent defense against USB eavesdropping attacks. In: Proceedings of the 9th European Workshop on System Security, EuroSec 2016, pp. 6:1–6:6. ACM (2016)Google Scholar
  13. 13.
    Nissim, N., Yahalom, R., Elovici, Y.: USB-based attacks. Comput. Secur. 70(Supplement C), 675–688 (2017)CrossRefGoogle Scholar
  14. 14.
    Pham, D.V., Syed, A., Halgamuge, M.N.: Universal serial bus based software attacks and protection solutions. Digit. Invest. 7(3), 172–184 (2011)CrossRefGoogle Scholar
  15. 15.
    Teh, P.S., Teoh, A.B.J., Yue, S.: A survey of keystroke dynamics biometrics. Sci. World J. 2013, 24 (2013)CrossRefGoogle Scholar
  16. 16.
    Tian, D.J., Bates, A., Butler, K.: Defending against malicious USB firmware with GoodUSB. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 261–270. ACM (2015)Google Scholar
  17. 17.
    Tian, D.J., Bates, A., Butler, K.R., Rangaswami, R.: ProvUSB: block-level provenance-based data protection for USB storage devices. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 2016), New York, NY, USA, pp. 242–253. ACM (2016)Google Scholar
  18. 18.
    Tian, D.J., Scaife, N., Bates, A., Butler, K., Traynor, P.: Making USB great again with USBFILTER. In: 25th USENIX Security Symposium (USENIX Security 2016), Austin, TX, pp. 415–430. USENIX Association (2016)Google Scholar
  19. 19.
    Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., Bailey, M.: Users really do plug in USB drives they find. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE (2016)Google Scholar
  20. 20.
    Umphress, D., Williams, G.: Identity verification through keyboard characteristics. Int. J. Man Mach. Stud. 23(3), 263–273 (1985)CrossRefGoogle Scholar
  21. 21.
    Wang, Z., Stavrou, A.: Exploiting smart-phone USB connectivity for fun and profit. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 357–366. ACM (2010)Google Scholar
  22. 22.
    Yang, B., Qin, Y., Zhang, Y., Wang, W., Feng, D.: TMSUI: a trust management scheme of USB storage devices for industrial control systems. In: Qing, S., Okamoto, E., Kim, K., Liu, D. (eds.) ICICS 2015. LNCS, vol. 9543, pp. 152–168. Springer, Cham (2016). Scholar
  23. 23.
    Zaitcev, P.: The usbmon: USB monitoring framework. In: Linux Symposium, p. 291 (2005)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.SBA ResearchViennaAustria
  2. 2.University of PatrasPatrasGreece
  3. 3.mulliner.orgNew YorkUSA

Personalised recommendations