What stops a random USB device from rooting Windows?

Question

Ok so I&rsquo;m learning computer security and I had an idea for an attack method and it&rsquo;s so simple I wanna know if it&rsquo;s already put into practice.Basically it would be a USB device that tells the Windows system it&rsquo;s a generic keyboard+mouse. Then it would simulate the entry of input something like: 1) WinKey + R 2) cmd.exe [enter] 3) [enters or pasted a malicious script] 4) await UAC prompt. Click pre-calculated dimensions for the button based on screen size/dpi ratio..Now the entire system is rooted in under 2 seconds.Can someone explain what mitigations if any Microsoft has put in place (prior to the recent ASR which is new and probably also vulnerable?) to disable this [fake mouse and keyboard attack] ?

paywallasinbeer · Accepted Answer

Here's something very similar to what you're thinking of.[0] There's a low cost alternative if you'd like to experiment.[1]
[0] https://shop.hak5.org/products/usb-rubber-ducky-deluxe
[1] https://sequr.be/blog/2021/02/attiny85-rubber-ducky/

JackGreyhat · Answer

It should be common practise to run your every day computer life from a "normal", non-privileged user account. This way, automating UAC confirmations are impossible, given that alternative credentials have to be entered for the UAC to be authorized. Yet, you'll find that many people do not do this.

hnuser123456 · Answer

If the current user isn't an admin, they can't just click through UAC.
If they are an admin, they could just do this manually.
Either way, no privilege escalation, which "rooting" typically implies.
Sure, you could make a USB stick that automates any user input, but you could just make the same inputs yourself with the keyboard and mouse already at the machine. What kind of situation does this actually benefit you in?

ComradePhil · Answer

This is a well-known mode of attack and some anti-virus software have protections against it: https://www.kaspersky.com/blog/weaponized-usb-devices/26495/

riveducha · Answer

Even better, why not find people with a wireless mouse/kbd dongle plugged into their computer, then send radio signals mimicking their mouse/kbd to do the same thing? That way you don't even need to touch their computer or bypass the check on whether the USB device is preauthorized.
The reason you can't is because many newer wireless devices have encryption, but how many people know or care when they buy one?
I spent a not insignificant amount of time looking into this, but for the purpose of making a game AI, not for hacking other people's computers.

sydthrowaway · Answer

What stops this on Mac?

joeld42 · Answer

Nothing, really.