Adam Savage Explains Malicious USB Device Attacks
Key Takeaways
- •Adam Savage refuses to plug unknown USB devices into any computer, and in 'Why Adam Savage Won't Trust USB Keys' on Adam Savage's Tested, he explains exactly why that rule exists.
- •Fans regularly hand him drives containing their work, but security experts on the episode demonstrate that a device no larger than a thumb drive can run a full Linux operating system, impersonate a keyboard, and silently exfiltrate files to cloud storage before you've had time to wonder what it's doing.
- •The video walks through malicious USB device attacks ranging from basic keystroke logging to PowerShell-automated data theft, and lands on Zero Trust security as the only architecture that meaningfully limits the damage when a human inevitably makes a mistake.
The Thumb Drive That Thinks It's a Keyboard
Here is the part that should genuinely bother you. Your computer does not see a USB device as a storage stick or a cable. It sees whatever that device tells it to be. A malicious USB device built on hardware like the USB Rubber Ducky can announce itself to your operating system as a keyboard, and the moment it does that, every USB-blocking policy your IT department wrote becomes irrelevant. Keyboards are trusted by default. They have to be. So the device starts typing, invisibly, at machine speed, and your computer executes every command without a second thought. The human at the desk never touches a key.
More Processing Power Than the Moon Landing, Sitting in Your Parking Lot
The experts on Why Adam Savage Won't Trust USB Keys on Adam Savage's Tested make a point that reframes the whole problem: the computing power inside a modern USB key dwarfs what guided Apollo to the lunar surface. That is not a metaphor about progress. It is a direct statement about threat surface. A device small enough to lose in a couch cushion can run a full Linux operating system, maintain persistent scripts, and phone home to an attacker continuously. The implication is that any intuition you have about how dangerous a small device can be is almost certainly wrong.
Keystroke Logging Is the Entry-Level Version and That Should Tell You Something
Before we get to the sophisticated attacks, there is a simpler one worth understanding. A basic malicious USB device can log every keystroke on the machine it is connected to, capturing passwords and sensitive inputs in real time. The attacker needs physical access twice: once to install it, once to retrieve it. That is the floor. The ceiling, as the Tested episode demonstrates, is a device that installs a persistent script taking continuous screenshots and uploading them to a cloud service without triggering security software. The entry-level attack already captures your banking password. The advanced version watches everything you do, indefinitely. Supply chain attacks follow a similar escalation logic, as we covered in our breakdown of the Our Analysis: The scariest part of this video isn't the hacking. It's how mundane the entry point is. A USB key someone finds in a parking lot. A charging cable a stranger offers at an airport. The attack surface isn't your firewall, it's your politeness. Savage gets the behavior right but undersells how few people will actually change. Knowing something is dangerous and treating it as dangerous are very different habits. Most people won't rewire their instincts over a YouTube video. The AirPods exploit mention deserved more airtime. Bluetooth is the new USB and almost nobody is thinking about it that way yet. There is also a structural problem the video gestures at without fully confronting: Zero Trust security is an institutional solution, but the majority of people encountering these attacks are individuals with no IT department backing them up. A small business owner, a freelancer, a creator like Savage himself fielding drives from fans — none of them have the infrastructure to implement Zero Trust in any meaningful way. The advice is correct for enterprises. For everyone else, it lands like telling someone to build a moat around their apartment. What that population actually needs is simpler, more portable guidance: never plug in hardware you didn't buy, treat found devices as you would treat found food, and assume that anything offered to you unsolicited is optimized for the giver's benefit, not yours. It is also worth noting that the threat model here is not theoretical. USB-based attacks have been documented in industrial sabotage, corporate espionage, and targeted harassment campaigns. The Stuxnet worm, which damaged Iranian nuclear centrifuges, is believed to have entered its target network via infected USB drives. That is the extreme end of the spectrum, but it illustrates that the architecture of the attack is identical whether the goal is stealing a password or disrupting a nation-state's infrastructure. The device doesn't know the difference. Neither does your operating system. The most honest takeaway from the Tested episode is that physical security and digital security are the same problem, and most people have been trained to think of them separately. That mental partition is the real vulnerability. Based on viewer questions and search trends. These answers reflect our editorial analysis. We may be wrong. Source: Based on a video by Adam Savage's Tested — Watch original video This article was created by NoTime2Watch's editorial team using AI-assisted research. All content includes substantial original analysis and is reviewed for accuracy before publication.Frequently Asked Questions
Can malware be spread through USB drives?
What is a common example of a USB attack?
How do malicious USB devices bypass security systems?
How do you check if a USB drive has malware on it?
Does a USB drive really have as much computing power as the Apollo guidance computer?
Related Articles
You Might Also Like
