The new USB Rubber Ducky is more treacherous than ever

The USB Rubber Ducky examines like a nondescript USB flash drive to the human eye. Hit it into a computer, though, and the machine notices it as a USB keyboard — which suggests it accepts keystroke commands from the device just as if an individual was typing them in.

The much-loved hacking tool has a new embodiment, released to overlap with the Def Con hacking conference this year, and inventor Darren Kitchen was on hand to explain it.

Unfortunately, some of the latest edition’s new features are more dangerous than ever. For example, the unique hacker tool can now pawn you with its programming language.

“Everything it types is authorized to the same degree as the user is trusted,” Kitchen informed me, “so it benefits the trust model built in, where computers have been taught to trust a human. And a computer knows that a human typically communicates with it through clicking and typing.”

The original Rubber Ducky was released over ten years ago and became a fan favorite among hackers. There have been several incremental updates since then, but the newest Rubber Ducky leaps forward with unique features that make it far more flexible and powerful than before.

Previous versions of the Rubber Ducky could already carry out attacks like creating a fake Windows pop-up box to harvest a user’s login credentials or causing Chrome to send all saved passwords to an attacker’s webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms.

The newest Rubber Ducky aims to overcome these limitations. It ships with a significant upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls.

For example, the new Ducky can test to see if it’s plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add a variable delay between keystrokes for a more human effect.

Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, “Sorry, I guess that USB drive is broken,” and take it back with all their passwords saved.

The threat could be significant, but the need for physical device access means most people aren’t at risk of being targets.

According to Kitchen, the new Rubber Ducky was his company’s most in-demand product at Def Con, and the 500 or so units that Hak5 brought to the conference sold out on the first day. However, many hundreds of hackers already have one, and demand will likely continue for a while.

It also comes with an online development suite, which can be used to write and compile attack payloads, then loads them onto the device. And it’s easy for users of the product to connect with a broader community: a “payload hub” section of the site makes it easy for hackers to share what they’ve created, and the Hak5 Discord is also active with conversation and helpful tips.

For $59.99 per unit, it’s too expensive for most people to distribute in bulk — so it’s unlikely that someone will leave a handful of them scattered in your favorite cafe unless it’s known to be a hangout place for sensitive targets. So if you’re planning to plug in a USB device you found lying out in a public place, think twice about it…

With a few well-crafted keystrokes, anything is possible. If only you kept a few minutes, photographic memory, and excellent typing accuracy.

The USB Rubber Ducky infiltrates keystrokes at superhuman speeds, violating computers’ inherent trust in humans by posing as a keyboard. Inventing keystroke injection in 2010, the USB Rubber Ducky became the must-have pen test tool. With a covert design and simple “Ducky Script” language, this bad USB infiltrates systems and imaginations worldwide.

Rubber Ducky is a keystroke injection tool developed by Hak5 based on an AMTEL 32bit chip and an SD card. With the help of the instrument, which looks like a USB stick, automated keyboard entries can be carried out on a computer. The device pretends to be a USB keyboard. The keyboard entries to be executed are created with the script language Ducky Script, specially developed for Rubber Ducky, and stored on a memory card. The previously defined inputs are completed as soon as the Rubber Ducky is connected to a computer.

Hak5 founder Darren Kitchen developed the prototype of what later became the Rubber Ducky. As an IT administrator, he was tired of typing the same commands repeatedly to fix printers and network shares. It is how the idea of ​​the device came about. He programmed a circuit board that emulates typing on a keyboard, and the keystroke injection attack was born. Since 2010, the tool has been helping pen testers and IT administrators worldwide. Ducky gained notoriety primarily through its use in the Amazon Prime hacker series Mr. Robot.

Ducky Script is the script language used to configure and execute the commands. The script language specially developed for the Rubber Ducky is easy to read and learn. A Ducky Script can be created in any text editor, for example, the Windows Text Editor or Notepad++. It must be converted into a .bin file and stored on the Rubber Ducky’s microSD card to bring the finished script to the Ducky.

The simple code snippet in the scripting language Ducky Script:

  • REM The following three lines execute a command
  • GUI right
  • STRING cmd
  • ENTER

The first line of the script is a comment that is not executed. The script then simulates pressing the Windows + R keys, entering the character string cmd, and confirming the entry with the Enter key. Finally, it opens the Windows operating system shell.