USB Rubber Ducky is back with a vengeance.
There is a new incarnation released to coincide with the much-loved hack tool Def Con hack conference This year, and creator Darren Kitchen was on hand to explain it The Verge. We tested some new features and found that the latest release is more dangerous than ever.
What is this?
To the human eye, USB Rubber Ducky looks like an unusual USB flash drive. Plug it into a computer, however, and the machine sees it as a USB keyboard—meaning it accepts keystroke commands from the device as if a person were typing them.
Kitchen told me, “Everything it writes is trusted as much as the user trusts it, so it’s using the same built-in trust model that computers are taught to trust humans. And the computer knows that humans usually communicate with it by clicking and typing.”
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/23949125/cfaife_220816_226139_0019.jpg)
The original Rubber Ducky was released over 10 years ago and has become a fan favorite among hackers (even demonstrated in a Mr. robot scene). There have been a number of incremental updates since then, but the newest Rubber Ducky takes a leap forward with a host of new features that make it more flexible and powerful than ever before.
What can it do?
With the right approach, the possibilities are almost endless.
Even earlier versions of Rubber Ducky could perform similar attacks Create a fake Windows pop-up box collect user login credentials or Causes Chrome to send all saved passwords to the attacker’s web server. But these attacks had to be carefully designed for specific operating systems and software versions, and lacked the flexibility to work across platforms.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/23949116/cfaife_220812_226139_0007.jpg)
The newest Rubber Ducky aims to overcome these limitations. It ships with a major upgrade to the DuckyScript programming language used to create the commands that Rubber Ducky will enter on the target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language that allows users to write functions, store variables, and use logical flow controls (ie, if this… then this).
This means that, for example, a new Ducky can run a test to see if it’s connected to a Windows or Mac machine, and conditionally execute code corresponding to each, or turn itself off if it’s connected to the wrong target. It can also generate pseudo-random numbers and use it to add a variable delay between keystrokes for a more human effect.
Perhaps most effectively, it can steal data from a target machine by encoding it in binary format and Signaling intended to tell the keyboard when the CapsLock or NumLock LEDs should light up. This way, an attacker can connect it in seconds, tell someone “Sorry, I guess the USB drive is broken” and take it back with all their passwords saved.
How dangerous is this?
In short, it can be big, but the need for access to a physical device means most people aren’t at risk of being targeted.
According to Kitchen, the new Rubber Ducky was his company’s most requested product at Def Con, and nearly 500 of the Hak5 brought to the conference sold out on the first day. It’s safe to say hundreds of hackers already have one, and demand will continue for some time.
It also comes with a online development kit, can be used to write and compile attack payloads and then load them onto a device. It is easy for users of the product to connect with the wider community: a freight hub section of the site makes it easy for hackers to share their creations, and the Hak5 Discord is also active with chat and helpful tips.
At $59.99 per unit, it’s too expensive for most people to distribute in bulk – so unless someone is known to be a meeting place for sensitive targets, it’s unlikely they’ll leave a handful of them scattered around your favorite cafe. So, if you’re planning to plug in a USB device you find lying around in public, think twice…
Can I use it myself?
The device is fairly simple to use, but if you don’t have experience writing or debugging code, there are a few things that can get you in trouble. When testing on a Mac, I couldn’t get Ducky to launch the F4 key for a while, but I fixed that after identifying it with a different device. Apple keyboard device ID.
Since then I have been able to write a script so when connected, Ducky will automatically launch Chrome, open a new browser window, and navigate to it The Vergehome page, then quickly close it again – all without any input from the laptop user. Not bad for just a few hours of testing and something that could easily be tweaked to do something more obnoxious than watching tech news.
