Inspiration

Every day, people plug USBs into their computers without a second thought. We wanted to explore that inherent trust and demonstrate just how easily it can be exploited. Inspired by the concept of HID (Human Interface Device) attacks, our goal was to create an educational tool that raises awareness about a real-world cybersecurity threat. Security is only as strong as its weakest link. This project challenges you to consider how that weakest link might just be you.

What it does

Stickers are proof-of-concept USB devices built with an Arduino Pro Micro, programmed to act as a keyboard that automatically executes preloaded keystrokes when plugged in. This mimics how malicious actors use USB Rubber Ducky-style devices to deliver payloads in seconds. You simply "stick" it in, and it does the rest automatically. No clicks required.

How we built it

The Arduino Pro Micro uses a type of microcontroller (ATmega32U4) that allows for HID emulation right out of the box. We used the Arduino IDE and a pre-installed library (Keyboard.h) to simulate common attack behaviors by opening the terminal and executing predefined commands, such as changing execution policy, downloading and running a script that we built, and deleting any trace that anything had happened.

Challenges we ran into

Working with the hardware limitations of the Arduino Pro Micro was challenging.

  • For starters, the list of commands had a maximum of roughly 2 Kilobytes. To work around this limitation, instead of having the Arduino store the entire PowerShell script in memory and type it out, we had it download the script and run it. The script itself took care of the rest. It even deletes itself when it's done!
  • Another limitation with the Arduino is how quickly it can type. By default, it is only capable of typing in short bursts. Longer commands would often get jumbled or be sent before command windows were ready to receive them. To work around this, we configured short delays (10ms) between each keystroke for longer strings and longer delays to give command prompt windows enough time to prepare to receive input (50ms or more).

Accomplishments that we're proud of

  • Successfully programmed and tested a working HID demonstration device
  • Created a cinematic, story-driven video presentation that we feel effectively teaches cyber awareness. We put the viewer in the shoes of a hacker before flipping the script to reveal the white-hat perspective. ## What we learned
  • We learned how HID spoofing operates and how seemingly small oversights in digital trust can lead to serious consequences.
  • Deepened our understanding of USB protocols, Arduino firmware, and red-team tactics while practicing responsible disclosure and ethical boundaries. In other words, we learned hands-on what it means to be an ethical hacker!

What's next for Stickers

We plan to expand Stickers into an interactive cybersecurity awareness demo, where students can safely stick these USBs in and see exactly what commands they run. Eventually, we’d like to develop a training kit for classrooms to help future students learn about HID attacks, endpoint security, and digital trust in an engaging, hands-on way. We'd also like to incorporate a course on system hardening techniques so that students not only learn to avoid these types of attacks, but to fortify themselves against them on a hardware and software level, too.

Built With

Share this project:

Updates