USB Rubber Ducky

The Basics:

One of the more terrifying products to debut at DefCon this year, the updated USB Rubber Ducky should make any CISO who has an abundance of remote workers nauseous. For a little more then $100 you will get the USB Rubber Ducky, the GUI to program it with in DuckyScript, and a booklet to teach you the language. It purports to be a “flash drive“ that types keystroke injection payloads into unsuspecting computers at incredible speeds, because while a human sees a flash drive the computer sees a keyboard and instructions.

Beyond keystroke injection attacks the Rubber Ducky can mimic any USB device ID and manufacturer so it can circumvent some built in defenses your laptop has. It can also be used to conduct brute force attacks against passwords, and pin codes while looking and acting like a normal USB stick complete “Disk Content“ decals. It even has two different USB adapters both USB-C and USB-A so that it cannot be thwarted by port incompatibility.

The USB Rubber Ducky is so terrifyingly successful because it takes advantage of a fundamental assumption that your computer makes, that it can trust its human. By pretending to be a HID (human interface device) the Rubber Ducky can exploit this fundamental assumption.

Our Review:

Unfortunately we have not been able to get our grubby hands on one of these devices yet as they are backordered for the next two months, but when ours arrives sometime in October we will hand it to our most programmatically challenged member and see how easy it is for a novice to program one of these unassuming nightmare machines.