The Idea 💡

You’ve probably heard of the USB Rubber Ducky. It is a famous tool that looks like a normal flash drive but acts like a keyboard and executes payloads instantly.

I wanted to replicate that concept, but with hardware that costs just a few dollars and is more accessible.
That is where the Pico comes in. With the right code, it can emulate a USB keyboard and type whatever I tell it to. Once I realized that, the project almost built itself.

The Build ⚙

The setup was simple but satisfying!
Hardware: just the Raspberry Pi Pico
Language: CircuitPython, because it is lightweight and easy to tweak
Library: Adafruit’s HID library, which gave me all the functions I needed to act like a keyboard

I wrote scripts that send a sequence of keystrokes when the Pico is plugged in. For example, it could open a terminal, fetch a script from the internet, and run it, all in a matter of seconds. The target would barely notice anything before the commands had already executed.

It was both terrifying and fascinating to watch.

The First Test 🏁

With everything in place, I was ready for the real test.

The moment I uploaded my code and plugged the Pico into my pc, I felt a kind of excitement only hackers know. The cursor blinked. Then, as if by magic, windows started opening and commands began flying across the screen.

And here is the scary part. The computer trusted the Pico immediately. No warnings, no questions. It thought it was just a regular keyboard.

That blind trust is exactly what attackers rely on.

Overview

Here’s what the process looked like:

1. Flash the Pico with CircuitPython firmware.

2. Import the Adafruit HID library to handle keyboard emulation.

3. Write a script that sends keystrokes like shortcuts for opening a terminal or running a script.

4. Upload it, plug the Pico into a computer, and watch it go to work.

5. The first time I tested it, my laptop obeyed instantly. No pop-ups. No warnings. Just blind trust in the “keyboard” I had created.

You can find the script Here

The Ethical Question

Projects like this always raise a question: Should we even build them?

For me, the answer is yes. But only in controlled, ethical contexts. Tools like these belong in red team exercises, security awareness demos, and research labs, not in the hands of bad actors.

The point isn’t to cause harm. The point is to learn, to demonstrate the risks, and to help organizations understand that threats don’t always come through the network. Sometimes, they arrive in someone’s pocket.

Defending Against HID-Style Attacks

So how do you defend against something that can be installed inside a normal looking keyboard or mouse?

USB port security: Use physical locks or restrict access to exposed ports.

Device whitelisting: Allow only approved USB devices to connect.

Awareness training: Teach people not to plug in “found” devices. Curiosity is often the attacker’s greatest ally.

Monitoring and response: Even if an attack starts with a USB device, detection and quick response can limit damage.

Defence is never perfect, but awareness is the first and most important step.

Final Thoughts

That $4 board on my desk became more than just a microcontroller. It became a story about trust, creativity, and risk. It showed me that the smallest tools can carry out sophisticated attacks.

A HID attack isn’t some futuristic Hollywood hack. It’s real, it’s simple, and it’s happening in the wild. By experimenting with it safely, I got a front-row seat to understanding how attackers think and how defenders need to think, too.

Because in cybersecurity, The best way to defend something is to see the world from the attacker’s point of view first.

If you want to try this yourself (safely), the full code is on my GitHub. I also share breakdowns like this on my website and LinkedIn. Feel free to connect and share your builds!