Hacked Devices: A Case Study on Infected Peripherals

Hacked Devices

What Are Hacked Devices?

Hacked devices are among the most dangerous and overlooked entry points for cyberattacks. Unlike traditional software exploits, these threats operate at the hardware level, making them extremely difficult to detect and stop. Compromised peripherals, such as mouse, keyboards, or hacked USB hubs, can masquerade as legitimate components while silently executing malicious operations.

As organizations increasingly rely on connected assets, from IoT endpoints to industrial control systems, the risk posed by hacked devices continues to rise. Once inside a network, they can bypass security controls, exfiltrate sensitive data, and even allow remote hackers to maintain persistent access.

Sepio’s Asset Risk Management platform offers unparalleled visibility into these hidden threats, enabling organizations to detect, assess, and mitigate hacked devices before they cause damage.

How Hacked Devices Bypassed an Air-Gapped Network

During an academic security research project that scanned file repositories, researchers found classified operational documents from a large US natural gas utility. When they contacted the utility’s security team, they learned the documents were authentic. Surprisingly, there was no evidence that any internal files had been removed.

Investigators initially believed the network containing the stolen documents was air-gapped, preventing Internet leakage. Strictly blocking all removable media also ruled out the possibility of someone copying and removing the documents. The investigation revealed that hackers had broken into the internal critical network, bypassing existing security controls using hacked devices. As a result, the network was vulnerable not only to exfiltration but also to injection and sabotage.

The Hacked Mouse

When plugged in, the hacked device was detected by the host PC as both a fully functional mouse and an human interface device (HID) keyboard (USB Class 3, Subclass 1, Protocol 1). Using keyboard emulation, the HID interface typed a PowerShell script that built and executed a covert channel communication stack.

By creating an out-of-band connection through the hacked mouse’s wireless interface, hackers bypassed the air-gap. Users usually see keyboards as input devices. However, organizations must recognize that hackers can exploit the bidirectional communication channel in keyboards to exfiltrate enterprise data. This example highlights how mouse hacking or keyboards can turn trusted hardware into a threat vector.

Hacked USB Mouse
Hacked USB mouse with implanted Raspberry Pi Zero W

Tools and Techniques Behind Hacked Devices

The Raspberry Pi Zero W can be purchased for as little as $25. Its low cost, credit card-like size, and support for many hacking tools make it an attractive option for building hacked devices. In this case, it consumed minimal power, easily supplied by the host PC (the attack target). At the same time, it allowed hackers to sniff network packets and exfiltrate data remotely using its integrated WiFi.

Other hacked devices rely on LoRaWAN, a low-power wide-area network, to communicate with rogue peripherals. Systems may detect such devices as legitimate USB hubs while hiding the embedded malicious hardware.

Popular tools used in these attacks include:

  • Rspiducky – keyboard emulation for automated script execution
  • PoisonTap – network traffic hijacking
  • Backdoor remote access implementations – full control over compromised endpoints

These examples demonstrate the versatility and stealth of hacked devices, which can turn simple peripherals into powerful attack platforms. In many cases, mouse hacking techniques or the use of hacked USB devices enable hackers to bypass even the most secure environments.

Low-cost hardware
Low-cost hardware like a Raspberry Pi Zero W can be transformed into a hacked device

How Sepio Protects Against Hacked Devices

Holistic, Objective Truth

Sepio’s Asset Risk Management platform sees, assesses, and mitigates all known and shadow IT assets at any scale, as quickly as they are added by anyone, anywhere. By leveraging data at the physical layer, Sepio reaches the true source of asset risk, providing organizations and their existing security tools with a new dimension of visibility that was previously impossible.

Our unique approach and patented algorithms create an objective DNA profile for every known and shadow asset, including hacked devices. This avoids misleading behavioral assumptions or deceptive profiles that can bypass even advanced cybersecurity tools. With Sepio, enterprises gain a centralized source of asset visibility, capable of detecting threats hidden in hacked devices such as hacked USB peripherals or compromised mice through mouse hacking tactics.

Actionable Visibility

Visibility is essential, but it is only useful when it drives action. Sepio automatically generates an Asset Risk Factor (ARF) score for every asset, including hacked devices, based on its DNA profile, context, and predefined rules. The ARF score prioritizes risks, giving organizations clear guidance on what requires immediate attention.

The ARF score highlights high, medium, and low risks to accelerate resolution, identify compliance gaps, and prevent crises. Continuous monitoring ensures that any change to an asset’s ARF score, caused by anomalies, tampering, or the introduction of hacked USB devices or mouse hacking attempts, is detected in real time.

Sepio Visibility Overview
Sepio Visibility Overview

Big data and machine learning, enhanced with OSINT threat intelligence, improve IT efficiency by flagging assets known to be vulnerable. This real-time, visibility helps security teams better understand their attack surface and manage risks associated with hacked USB devices.

Control and Automated Mitigation

Sepio enforces granular hardware usage controls predefined by administrators. The system continuously compares each asset’s DNA profile and ARF score with preset rules and maps them to appropriate policies. It automatically blocks assets that violate rules or match a known attack, including hacked devices, enabling instant and automated mitigation.

Sepio’s unique trafficless approach enables scalable asset risk management without burdening IT resources. With no privacy risks, no compliance issues, and no performance impact, deployment is fast and simple, taking less than 24 hours. This ensures enterprises can scale protection against hacked USB devices across their entire ecosystem.

Maximizing ROI on Existing Security Tools

The Sepio platform integrates seamlessly with leading cybersecurity solutions such as NACs, EDRs, XDRs, and Zero Trust platforms. By improving these tools with physical layer visibility, Sepio increases the return on existing IT and security investments. Without Sepio, these solutions cannot fully achieve their mission of identifying and mitigating threats introduced by hacked devices.

Talk to an expert. It will help you understand how to use Sepio’s patented technology to gain control of your asset risks.

Read the Infected Peripheral Devices Case Study (pdf)
April 28th, 2020