The USB Rubber Ducky is back with a vengeance.
The much-loved hacking tool created byDarren Kitchen, was released to coincide with this years Def Con hacking conference. It was found that the latest editionhas a new features and is more dangerous than ever.
What Is It?
To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive.
However, when plugged into a computer, the machine sees it as a USB keyboard, meaning it accepts keystroke commands from the device just as if a person was typing them in.
Darren Kitchen stated, “Everything it types is trusted to the same degree as the user is trusted, so it takes advantage of the trust model built in, where computers have been taught to trust a human. A computer knows that a human typically communicates with it through clicking and typing.”
The original Rubber Ducky was released over 10 years ago and became a fan favorite among hackers.
There have been a number of incremental updates since then, but the newest Rubber Ducky makes a leap forward with a set of new features that make it far more flexible and powerful than before.
What Can It Do?
With the right approach, the possibilities are almost endless.
Previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user’s login credentials or causing Chrome to send all saved passwords to an attacker’s webserver.
However, these attacks had to be carefully crafted for specific operating systems and software versions, and lacked the flexibility to work across platforms.
The newest Rubber Ducky aims to overcome these limitations. It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine.
While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this… then that).
That means, for example, the new Ducky can run a test to see if it’s plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target.
It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect.
Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up.
With this method, an attacker could plug it in for a few seconds, tell someone, “Sorry, I guess that USB drive is broken,” and take it back with all their victims passwords saved.
How Much Of A Threat Is This?
In short, it could be a big one, but the need for physical device access means most people aren’t at risk of being a target.
According to Kitchen, the new Rubber Ducky was his company’s most in-demand product at Def Con, and the 500 or so units that Hak5 brought to the conference sold out on the first day.
Safe to say, many hundreds of hackers have one already, and demand will likely continue for a while.
It also comes with an online development suite, which can be used to write and compile attack payloads, then load them onto the device.
It’s also easy for users of the product to connect with a broader community: a “payload hub” section of the site makes it easy for hackers to share what they’ve created. The Hak5 Discord is also active with conversation and helpful tips.
Rubber Ducky is priced at $59.99 per unit, it’s too expensive for most people to distribute in bulk, so it’s unlikely that someone will leave a handful of them scattered in your favorite cafe unless it’s known to be a hangout place for sensitive targets.
That said, if you’re planning to plug in a USB device that you found lying out in a public place, think twice about it…
Could You Use It?
The device is fairly simple to use, but if you don’t have any experience in writing or debugging code, there are a few things that could trip you up.
For example, in testing on a Mac, and the Ducky won’t enter the F4 key to open the launchpad, you’ll have to fix that by making it identify itself with a different Apple keyboard device ID.
From that point, you should be able to write a script so that, when plugged in, the Ducky would automatically launch Chrome, open a new browser window, navigate to the homepage, then quickly close it again, all without input from the laptop user.