In 2014, security researchers Karsten Nohl and Jakob Lell of SR Labs presented "BadUSB — On Accessories that Turn Evil" at Black Hat. Their insight was structural, not a bug to be patched: many USB devices are built around a small microcontroller running rewritable firmware, and that firmware decides what the device claims to be. They demonstrated reprogramming the controller of an ordinary flash drive so that, alongside (or instead of) presenting storage, it presented a keyboard — and started typing.
Two months later, researchers Adam Caudill and Brandon Wilson published working code that did the same thing to a common controller family, making the point unavoidable: this wasn't a theoretical capability reserved for intelligence agencies. It was a firmware patch away from anyone.
Why a Fake Keyboard Beats Antivirus
The USB specification lets a single physical device present multiple interfaces, and the Human Interface Device (HID) class — keyboards, mice — is trusted by design. There is no signature check on what a keyboard types and no sandbox around it, because the operating system cannot distinguish a malicious keystroke from you typing.
So the attack sequence is brutally simple: the device enumerates as a keyboard, waits a few seconds, then types. Open a terminal or a Run dialog, enter a one-liner that downloads and executes a payload, close the window. At injection speeds of hundreds of characters per second, the visible part of the attack can be over in under two seconds — a window flickers and is gone. Endpoint protection that scans files sees nothing unusual, because nothing unusual was ever written to disk by the USB device itself. The commands came from "the user."
BadUSB is not autorun. Autorun — Windows executing files from inserted media automatically — was largely killed off years ago. BadUS