Almost a classic in the field of IT security awareness training is handing out USB drives in a parking lot outside a company.
In this way, you can test whether USB drives are picked up and connected to a company computer. However, the distributed flash drives are not the usual ones, but malicious USB devices that look like normal USB memory drives but execute commands via a virtual keyboard. This method can test how likely it is that unknown devices will be connected.
This method can be extended for training purposes: Select the people most at risk for training, namely, those who have the most customer contact. The special thing about this scenario is that these participants are trained in the dangers of other people’s devices. These people are then instructed to place flash drives unnoticed in public areas of the company—with the aim that the rest of the staff find the prepared USB drives, take them away, and connect them to a computer. This reversal of roles leads to a more intensive examination of the subject matter.
First, you must prepare USB drives for the training. Different variants of pentest hardware are available for this purpose. The basic requirement is that the tool looks like an ordinary flash drive (i.e., it is sold housed in a case); see an example here.
The first variant is the Rubber Ducky. Thanks to the simple scripting language, it is easy to configure, which is particularly useful for beginners. Copy the created script to a microSD card, which you insert into the Rubber Ducky’s card reader. The card reader is accessible when the housing is opened. However, the Rubber Ducky is the most expensive variant, which is noticeable if a larger quantity is required.
A cheaper alternative is the MalDuino, the latest version of which is sold in housing. Compatible with the Rubber Ducky configuration, MalDuino can also be used independently, as an alternative. Housed like a standard flash drive, this device also has a USB-C port, as shown here.
The cheapest option is an Arduino-compatible USB drive in housing, as seen in the next figure. However, this version must be programmed separately.
Once you’ve selected a device, you must decide what action the manipulated USB drive is supposed to perform. Preconfigured commands can be saved and run automatically via the virtual keyboard as soon as the device is connected to a computer.
After the exercise, statistics should be compiled to show how often an unknown USB device was connected to the computer. This can either be done discreetly or, at the same time, an awareness website on the topic can be opened in the web browser when the person who inserted the USB flash drive uses the computer.
If you do not have the option of creating your own automated online statistics, you can use the online service Webhook.site, for example. With this service, you can create your own area in which all URL calls will be logged, which enables simple analysis.
When you call the www.webhook.site domain in the web browser, a separate area will automatically be created. This area is given a unique identifier that is contained in the URL. You must save this main link since it is required for the analysis. The link looks something like this:
webhook.site/#!/12345678-add1-1234-8ea0-2e882fc2d17b
The next figure shows the actual URL for the call, located in the Your unique URL section.
You can then add any parameter with a value to the URL. In this example, the parameter is stick, and the value is a consecutive numbering for each stick:
webhook.site/12345678-add1-1234-8ea0-2e882fc2d17b?stick=1
Now, if this URL is ever called, this process will be logged, as shown below. You can use the main URL to view the logged calls.
The next step is the configuration or, more precisely, the programming of the hardware. The following code example for the Rubber Ducky and the MalDuino first calls the URL for the webhook statistic. You must adjust the number for each device so that a unique assignment can be made.
A URL is then opened in full-screen mode. For example, you can store the intranet page on IT security now or create a special page explaining why no external USB devices should be plugged in.
The call shown below tries various web browsers until it finds an option that is installed.
DELAY 3000
GUI r
DELAY 100
STRING https://webhook.site/12345678-add1-1234-8ea0-2e882fc2d17b?stick=1
ENTER
DELAY 500
ALT F4
DELAY 200
GUI r
DELAY 100
STRING msedge.exe -kiosk https://www.sap-press.com
ENTER
DELAY 500
GUI r
DELAY 100
STRING firefox.exe -kiosk https://www.sap-press.com
ENTER
DELAY 500
GUI r
DELAY 100
STRING chrome.exe -kiosk https://www.sap-press.com
ENTER
Alternatively, you can use a USB drive that is Arduino-compatible. The code shown below can be compiled and uploaded directly with the Arduino IDE.
#include "Keyboard.h"
void setup(){
delay(3000);
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
Keyboard.releaseAll();
delay(100);
Keyboard.println("https://webhook.site/12345678-add1-1234-¿
8ea0-2e882fc2d17b?stick=1");
delay(500);
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press(KEY_F4);
Keyboard.releaseAll();
delay(200);
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
Keyboard.releaseAll();
delay(100);
Keyboard.println("msedge.exe -kiosk https://www.sap-press.com");
delay(500);
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
Keyboard.releaseAll();
delay(100);
Keyboard.println("firefox.exe -kiosk https://www.sap-press.com");
delay(500);
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
Keyboard.releaseAll();
delay(100);
Keyboard.println("chrome.exe -kiosk https://www.sap-press.com");
delay(500);
}
void loop(){}
Once the USB devices have been programmed, they still must be prepared in such a way that they also make good bait. Rarely is an ordinary unlabeled flash drive picked up and plugged into a computer. However, if there is a company logo on the device or a labeled key fob, the probability that the USB drive will be connected is much greater. However, do not carry out these modifications yourself; instead, have training participants do the work. As a result, this aspect will also be dealt with intensively once again.
You should obtain appropriate materials in advance that you can make available. Of course, items that already exist and are commonly used in the company are ideal, such as the following items:
You can even have promotional items made print to order (if available), such as the following:
If you do not have any materials available, you can simply have lanyards, signs, USB sticks, etc. produced by various online stores, as shown.
Online printing companies, such as VistaPrint also offer promotional items in small quantities. You can design these products online by simply entering text, so that no graphics editing knowledge is required. Alternatively, you can search for the keyword “customization” on the major online shopping platforms. Often, a large selection is available, and you may have the option of buying a single copy. The goal is to prepare your materials so that they seem familiar: Even subconsciously, people place more trust in objects with familiar logos, such as a mark from their own company.
The first step is to define the target group for the training. You should focus on all departments that have close and sustained contact with people outside the company. Examples include reception staff, mailroom staff, customer service staff, the trade fair team, and the HR department. Prepare a theoretical presentation that conveys the dangers of manipulated USB devices.
After this presentation, meet with the participants for the practical part. The first task they are given is to prepare the USB devices mentioned earlier so that they look like company property, as shown in the figure below.
Participants can use the materials you provide, but you should also encourage them to develop their own ideas. For example, participants can create a collection of photos from “ordinary” flash drives that they have used themselves. In the case of deception, the USB device must look as though it belongs to the company but cannot be assigned to a specific department. Otherwise, the person who finds it later might take it directly to that department. And they may then know that the device does not belong to the department.
Participants are then given the task of coming up with a strategy for distributing the prepared USB drives, such as determining the best times/places to hide devices. To ensure that the distribution process isn’t noticed, it must take place when as few other people as possible are present. Suitable locations include areas that are used by as many people as possible, such as the parking lot in front of the building or the entrance area inside. On the other hand, places where people spend more time and perhaps also put something down are also suitable. Think lunchrooms, break rooms, meeting rooms, restrooms, and the printer room. You can also consider whether there is a place where a USB device could be forgotten, like near printers and computers in meeting rooms.
Let participants place the lures and start the action. All of you can follow live in a meeting room with a projector when exactly each device is connected. As soon as a person connects the USB drive to a computer, the web browser is automatically started and calls up the stored website. The user then receives a corresponding message explaining what just happened and how they should deal with the situation. The calls are logged at a central location to determine when a flash drive was inserted. You can later use these statistics to estimate the period in which an attack would have been successful.
An important thing in this context is that the aim is not to test individuals but instead to highlight the potential dangers, obtain an overview of the overall situation, and raise awareness among participants. You can then, for example, record authentic experience reports for use in later training courses.
By actively involving your participants, they have dealt with the topic in depth and are now familiar with the dangers of malicious USB devices. At the same time, word of the topic should have spread throughout the company as a result of these tests, so a good idea is to follow up with company-wide training, even if short.
This training scenario works because it flips the script. Instead of lecturing employees about USB threats, you're putting them in the role of the attacker—planning the drop locations, disguising the devices, and watching the results unfold in real time. That firsthand involvement creates a level of awareness no slide deck can match. By the end of the exercise, participants won't just understand the risk; they'll have seen it play out. And when word spreads through the office about what happened, you've laid the groundwork for a broader conversation about physical security threats. Follow up with company-wide training while the topic is still fresh, and you'll have turned a simple USB drop into a lasting culture shift around device security.
Want more security training scenarios to utilize with your team? Check out these posts:
Editor’s note: This post has been adapted from a section of the book Hacking Hardware: The Practical Guide to Penetration Testing by Tobias Scheible. Tobias taught and conducted research in the field of IT security at Albstadt-Sigmaringen University for more than eleven years.
This post was originally published 5/2026.