Red5heep's Raspberry Pi Pico-Based USBvalve Security Tool Logs Malicious Actions On-the-Fly

Security researcher Cesare "red5heep" Pizzi has turned a Raspberry Pi Pico microcontroller board into a gadget for inspecting exactly what's happening when you connect a USB device to an untrusted system — reading out file system access in real-time on a compact OLED display.

"I'm sure that, like me, you were asked to put your USB drive in an unknown device… and then the doubt: what happened to my poor dongle, behind the scene? Stealing my files? Encrypting them? Or just installing a malware," Pizzi asks. "With USBvalve you can spot this out in seconds: built on super cheap off-the-shelf hardware you can quickly test any USB file system activity and understand what is going on before it's too late!"

The USBvalve board is designed to host a Raspberry Pi Pico, or other pin-compatible RP2040-based microcontroller board, alongside a 128×32 or 128×64 OLED display — though the carrier board isn't strictly required. "Almost all the job is done directly on the board by the software," Pizzi explains, "so you just need to arrange the connection with the OLED for output."

When connected to an untrusted system, the USBvalve presents a file system — and then begins printing all file access, both read and write, on the display. If a malicious system begins copying all the files it can find, or writing new data without consent, it pops up on-screen — as a warning not to connect any devices you care about.

In its latest incarnation, the USBvalve can work the opposite way, too, in detecting untrusted USB devices which attempt to carry out a BADUSB attack. "Starting from version 0.8.0 of the firmware, USBvalve can detect HID [Human Interface Device] devices (used to detect BADUSB). This require an additional USB port behaving as Host," Pizzi explains — which is exactly what the optional carrier board provides.

The project, including source code, PCB design files, and an optional 3D-printable spacer to prevent the OLED panel shorting out, is detailed in full on Pizzi's GitHub repository.