The new USB Rubber Ducky is more dangerous than ever
August 16, 2022
The USB Rubber Ducky is back with a vengeance.
The beloved hacking tool has a new incarnation, released to coincide with this year’s Def Con hacking conference, and creator Darren Kitchen was on hand to explain it to The edge. We tested some of the new features and found that the latest edition is more dangerous than ever.
What is it?
To the human eye, the USB Rubber Ducky looks like an inconspicuous USB stick. However, plug it into a computer and the machine sees it as a USB keyboard — meaning it accepts keystroke commands from the device as if someone were typing them in.
“Anything it types is trusted to the same degree as the user,” Kitchen told me, “so it uses the built-in trust model, where computers are taught to trust a human. And a computer knows that a human is typically communicating with it. by clicking and typing.”
The original Rubber Ducky was released more than 10 years ago and became a favorite among hackers (it was even featured in a Mr Robot scene). There have been a number of incremental updates since then, but the latest Rubber Ducky takes a leap forward with a range of new features that make it much more flexible and powerful than before.
What can it do?
With the right approach, the possibilities are almost endless.
Earlier versions of the Rubber Ducky could perform attacks, such as creating a fake Windows pop-up window to collect a user’s credentials or causing Chrome to send all saved passwords to an attacker’s web server. But these attacks had to be carefully designed for specific operating systems and software versions and lacked the flexibility to work across platforms.
The latest Rubber Ducky aims to overcome these limitations. It comes with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing sequences of keystrokes, DuckyScript 3.0 is a feature-rich language, allowing users to write functions, store variables, and use logical flow controls (ie if this…then that).
That means, for example, that the new Ducky can run a test to see if it’s connected to a Windows or Mac machine and conditionally run code suitable for any machine, or disable itself if it’s plugged into the wrong target. . It can also generate pseudo-random numbers and use them to add variable delay between keystrokes for a more human effect.
Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and sending it over the signals intended to tell a keyboard when to light the CapsLock or NumLock LEDs. This method allows an attacker to plug it in for a few seconds, tell someone “Sorry, I think the USB drive is broken”, and take it back with all their passwords saved.
How much threat is it?
In short, it can be a big one, but the need for physical access to devices means most people are not at risk of being targeted.
According to Kitchen, the new Rubber Ducky was his company’s most requested product at Def Con, and the 500 or so units Hak5 brought to the conference sold out on the first day. It’s safe to say that many hundreds of hackers already have one, and the demand is likely to continue for a while.
It also comes with an online development suite, which can be used to write and compile attack payloads and then load them onto the device. And it’s easy for users of the product to connect with a wider community: a “payload hub” section of the site makes it easy for hackers to share what they’ve created, and the Hak5 Discord is also active with conversations and helpful tips.
Priced at $59.99 per unit, it’s too expensive for most people to distribute in bulk – so it’s unlikely anyone would leave a handful of them scattered around your favorite cafe unless it’s known to be a meeting place for sensitive targets. That said, if you’re planning to plug in a USB device you found in a public place, think twice…
Could I use it myself?
The device is quite easy to use, but if you’re not experienced in writing or debugging code, there are a few things that might trip you up. When testing on a Mac, I couldn’t get the Ducky to hit the F4 key to open the launch pad for a while, but I fixed it after letting it identify with a different Apple keyboard device ID.
From that point on, I was able to write a script so that when the Ducky was plugged in, it would automatically launch Chrome, open a new browser window, go to The edge‘s homepage and then quickly close it again – all without input from the laptop user. Not bad for just a few hours of testing and something that can easily be modified to do something worse than flipping through technology news.