The USB Rubber Ducky is back with a vengeance.
The much-loved hacking tool has a new incarnation, released to coincide with the Def Con hacking conference this year, and creator Darren Kitchen was on hand to explain it to The Verge. We tested out some of the new features and found that the latest edition is more dangerous than ever.
What is it?
To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard — which means it accepts keystroke commands from the device just as if a person was typing them in.
“Everything it types is trusted to the same degree as the user is trusted,” Kitchen told me, “so it takes advantage of the trust model built in, where computers have been taught to trust a human. And a computer knows that a human typically communicates with it through clicking and typing.”
The original Rubber Ducky was released over 10 years ago and became a fan favorite among hackers (it was even featured in a Mr. Robot scene). There have been a number of incremental updates since then, but the newest Rubber Ducky makes a leap forward with a set of new features that make it far more flexible and powerful than before.
What can it do?
With the right approach, the possibilities are almost endless.
Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user’s login credentials or causing Chrome to send all saved passwords to an attacker’s webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms.
The newest Rubber Ducky aims to overcome these limitations. It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that).
That means, for example, the new Ducky can run a test to see if it’s plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect.
Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, “Sorry, I guess that USB drive is broken,” and take it back with all their passwords saved.
How much of a threat is it?
In short, it could be a big one, but the need for physical device access means most people aren’t at risk of being a target.
According to Kitchen, the new Rubber Ducky was his company’s most in-demand product at Def Con, and the 500 or so units that Hak5 brought to the conference sold out on the first day. Safe to say, many hundreds of hackers have one already, and demand will likely continue for a while.
It also comes with an online development suite, which can be used to write and compile attack payloads, then load them onto the device. And it’s easy for users of the product to connect with a broader community: a “payload hub” section of the site makes it easy for hackers to share what they’ve created, and the Hak5 Discord is also active with conversation and helpful tips.
At a price of $59.99 per unit, it’s too expensive for most people to distribute in bulk — so it’s unlikely that someone will leave a handful of them scattered in your favorite cafe unless it’s known to be a hangout place for sensitive targets. That said, if you’re planning to plug in a USB device that you found lying out in a public place, think twice about it...
Could I use it myself?
The device is fairly simple to use, but if you don’t have any experience in writing or debugging code, there are a few things that could trip you up. In testing on a Mac, for a while, I couldn’t get the Ducky to enter the F4 key to open the launchpad, but I fixed it after making it identify itself with a different Apple keyboard device ID.
From that point, I was able to write a script so that, when plugged in, the Ducky would automatically launch Chrome, open a new browser window, navigate to The Verge’s homepage, then quickly close it again — all with no input from the laptop user. Not bad for just a few hours’ testing and something that could be easily modified to do something more nefarious than browse technology news.