I just walked out of room 716 at SecTor here in Toronto, where I shared details on my Raspberry Pi Pico project. I’m happy that I was finally able to share this and even happier to announce that the GitHub repo This code is now accessible to everyone. I won’t walk you through the code, but you can reach out to me Ask questions.
Repo stores all data. As I mentioned in the announcement for my SecTor session, I looked at turning a Pico (or any device running an RP2040) into a Human Interface Device (HID). I started out creating a Stream Deck and had such a great time building that and turning it into a tool to teach Python to teens, that I decided to dig deeper into the functionality of the Pico’s HID functionality. SecTor 2021 was a demonstration of Picos which emulate keyboards, issue commands rapidly and display them on the screen. Over the past year, I’ve extended that and created example code.
While BadUSB attacks are not new, I’m hoping that this makes them more accessible and opens the door for further education about how these attacks are performed and the damage they can do. To give security awareness training to employees, you can conceal these devices with USB-compatible gadgets. While they can service malicious individuals, there’s a lot of harmless fun that can be had demonstrating the dangers of these devices to non-technical individuals.
Within the GitHub repo, you’ll find the keycode library (one already exists within CircuitPython, but I wasn’t happy with the approach it used), a template for the BadUSB attack, sample code, and plenty of example payloads. These tools are useful for both security awareness training and remote system administrators, who may need to send configurations out to non-networked systems. Anything you can do with a keyboard; you can do with a Pico using this code and that provides extensive flexibility and functionality.
If you explore the repo or use the code, I’d love to hear how you are using it and what you think of the code. I’m sure there are plenty of improvements that could be made and I’m happy to hear your suggestions. Enjoy!