LOTHardware LOTHardware / Teensy

The Teensy is a family of compact USB development boards from PJRC, built around AVR, Kinetis, and i.MX RT microcontrollers. Although designed for legitimate embedded projects, its native USB stack lets it enumerate as a Human Interface Device, which makes it a long-standing platform for BadUSB keystroke-injection attacks. A Teensy ships with the HalfKay bootloader, and the firmware can be configured to present many different USB personalities (keyboard, mouse, joystick, serial, RawHID, and combinations of these), each with its own ProductID. Because the identifiers come from the firmware they are software-assigned and can be changed by the operator.

Teensy

Description

The Teensy is a family of compact USB development boards from PJRC, built around AVR, Kinetis, and i.MX RT microcontrollers. Although designed for legitimate embedded projects, its native USB stack lets it enumerate as a Human Interface Device, which makes it a long-standing platform for BadUSB keystroke-injection attacks. A Teensy ships with the HalfKay bootloader, and the firmware can be configured to present many different USB personalities (keyboard, mouse, joystick, serial, RawHID, and combinations of these), each with its own ProductID. Because the identifiers come from the firmware they are software-assigned and can be changed by the operator.

Limitations

The identifiers below are firmware defaults from the PJRC cores and can be spoofed, so treat them as indicators rather than proof. There is an important bootloader-versus-runtime distinction here: VID_16C0&PID_0478 is the HalfKay programming bootloader, not the identity seen during an actual attack. Its appearance means a Teensy was just programmed on the host, which is itself a useful indicator, but the runtime keystroke-injection device enumerates under a different PID, most commonly VID_16C0&PID_0482 (Keyboard+Mouse+Joystick), VID_16C0&PID_04D0 (keyboard-only), or VID_16C0&PID_0486 (RawHID). Detection that only watches the 0478 bootloader will miss the injection phase entirely.

Device Instance Path

USB Universal HalfKay (bootloader, programming mode):

USB\VID_16C0&PID_0478

USB_HID Mode (runtime Keyboard+Mouse+Joystick):

USB\VID_16C0&PID_0482

USB_KEYBOARDONLY Mode (runtime keyboard-only):

USB\VID_16C0&PID_04D0

USB_RAWHID Mode (runtime RawHID):

USB\VID_16C0&PID_0486

VendorID

16C0

Van Ooijen Technische Informatica (PJRC’s shared pool).

ProductID

0478

HalfKay bootloader (programming mode).

0482

Runtime HID (Keyboard+Mouse+Joystick).

Class

HID / Composite

Author

@enesilhaydin

Sigma Rules

title: Teensy USB Device Connected
id: bc925534-9939-46e4-84d7-0423760c604c
status: experimental
description: Detects a Teensy by its default USB VID/PID. These identifiers can be spoofed, so treat this as an indicator.
references:
    - https://lothardware.com.tr/teensy/
author: '@enesilhaydin'
date: 2026/06/22
logsource:
    product: windows
    service: security
detection:
    selection_bootloader:
        EventID: 6416
        DeviceId|contains: 'VID_16C0&PID_0478'
    selection_runtime:
        EventID: 6416
        DeviceId|contains: 'VID_16C0&PID_0482'
    condition: selection_bootloader or selection_runtime
falsepositives:
    - Unrelated hardware sharing the same controller VID/PID
level: medium
tags:
    - attack.initial_access
    - attack.t1200

Requires Windows Audit PNP Activity (Security Event 6416).

1- https://www.pjrc.com/teensy/
2- https://github.com/PaulStoffregen/cores/pull/582/commits/ea2a70eaed6b78782cd4d5d504cd0ecc79ab46f2