Are all USB-based attacks dependent on being able to inject keystrokes?
There were also attacks based on the autoplay-feature (other source), although I think this is a bit outdated with newer OS like Windows 10. There are also USB-Killers which operate on a hardware-level and kill your machine through sending high current shocks.
Here's a list of other attacks that might fall in the same category, including but not limited to:
- An attack that actually emulates a USB ethernet adapter, which then injects malicious DNS servers into DHCP communications, potentially changing the computer's default DNS servers to use these malicious ones; sites of interest (email, banking, ecommerce, etc) can then be mimicked remotely, and the victim redirected to the mimic sites via the malicious DNS server.
- Attacks that use a small hidden partition on a mass storage device to boot and install a rootkit, while otherwise behaving like a normal mass storage device
- Various attacks intended for data exfiltration on a secured device (generally only relevant to secure air-gapped computers that the attacker can get physical access to, such as a contractor with access to secure systems)
Besides all previous good answers, there's another one that nobody mentioned: USB-based Ethernet devices. Like the excelent PoisonTap.
One can make the device register as a Ethernet device, and change the default route for the IP of the device. This way, every cleartext request and every DNS request will be sent to it, and a request for important domains (think on commonly used CDN's, like Cloudflare, Akamai, and the likes) can be poisoned.
If an HTTP request is made and the domain resolution was poisoned, the attacker can serve a malicious
jquery.js file, for example, put a very long expiration header on the answer, and have a backdoored jquery running on every site that links to that script, for a long time after he removed the malicious device.
Other than this, the attacker can set another host on the same network and change the default gateway too. This way, the attacker is in position to perform MitM againt the host without resorting to ARP poisoning - noisy and can be caught pretty fast by the new firewalls. Being the gateway means any non-encrypted protocol can be attacker, recorded, edited, and any secrets captured.
Keystroke-injecting is a good attack, but the machine must be unlocked. Network changing attacks will work even if the machine is locked, it only needs one process to try to resolve a domain and the result can be cached.
No, there are others.
USB Killer, for example, is a device that aims to damage your hardware by applying a high voltage to the data lines.
An attacker could use such a device to bait employees to involuntarily damage company hardware, resulting in a loss of availability and monetary damages.