The New USB Rubber Ducky Is More Dangerous Than Ever (theverge.com) 47
The USB Rubber Ducky "has a new incarnation, released to coincide with the Def Con hacking conference this year," reports The Verge. From the report: To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard -- which means it accepts keystroke commands from the device just as if a person was typing them in. The original Rubber Ducky was released over 10 years ago and became a fan favorite among hackers (it was even featured in a Mr. Robot scene). There have been a number of incremental updates since then, but the newest Rubber Ducky makes a leap forward with a set of new features that make it far more flexible and powerful than before.
With the right approach, the possibilities are almost endless. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user's login credentials or causing Chrome to send all saved passwords to an attacker's webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms. The newest Rubber Ducky aims to overcome these limitations.
It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that). That means, for example, the new Ducky can run a test to see if it's plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect. Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.
With the right approach, the possibilities are almost endless. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user's login credentials or causing Chrome to send all saved passwords to an attacker's webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms. The newest Rubber Ducky aims to overcome these limitations.
It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that). That means, for example, the new Ducky can run a test to see if it's plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect. Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.
Re:hackers (Score:5, Insightful)
Having ethics is not really a binary choice. It's more of a very extensively smeared-out spectrum.
Someone who would never mug a blind beggar for $5 might, just might, pick up and keep $500 if no one else was looking.
What if one was offered $1 million, tax free, with no questions ever asked (it's a thought experiment!) for consenting to the apparently natural death of a complete stranger?
Or holding lucrative shares in corporations that sell hideous chemical poisons or weapons?
Re:hackers (Score:4, Funny)
What if one was offered $1 million, tax free, with no questions ever asked (it's a thought experiment!) for consenting to the apparently natural death of a complete stranger?
Does it have to be a stranger? Asking for...a friend.
Re: hackers (Score:2)
It depends more on the need someone has, versus abundance others have.
A poor hungry person is likely steal bread from a hotel buffet. But less likely to swig champagne.
Someone making basic needs in life ($70000+ if I recall correctly) is unlikely to swipe any amount from a blind beggar.
Re: (Score:2)
Or holding lucrative shares in corporations that sell hideous chemical poisons or weapons?
Many, many people own shares in fossil fuel companies, banks and insurance companies. Even if not directly, most retirement funds have big holdings in these industries, so if you're not actively managing your retirement/superannuation fund, you are profiting from "evil" corporations. Yes, insurance companies are evil. If the legal costs of denying a payout for your crippling health condition, totalled car or flooded house are lower than the payout itself, these pricks will deny your claim. Their shareholder
Re:hackers (Score:4, Insightful)
No and no.
No, those devices are not funny. They're gimmicks to convince managers of something you need to get through to them. That's all these gimmicks are for. Trying to explain to a manager why it's necessary to block USB block devices and disallow certain PID and VID will be met by eyes glazing over and them not even trying to understand. It takes something like this to explain to them that they would NOT notice it if someone plugged a keyboard into their laptop.
That's what these gadgets are neat for. As a hacking tool, they're pretty worthless.
Re:hackers (Score:5, Interesting)
Ethics aside, and regardless of their builders' motivations, I'd much rather see such gadgets demonstrated publicly. Everyone needs to be aware of the threats out there.
Otherwise you'd have attendees at conferences being approached by an attractive young woman from another country who would politely ask if she could charge her phone from the USB port of the laptop at your display booth, and you might think nothing of saying "yes". (And yes, it happened to us, and no, she was not allowed anywhere near our equipment.)
Re: (Score:3)
you clearly do not understand what's going on but you didn't miss the opportunity to feel outraged. well done! thanks for honoring this venerable internet tradition! there are other helpful replies explaining the issue so i won't abound.
For Linux systems: USBGuard (Score:5, Informative)
For Linux systems USBGuard can be probably be used to block devices like this. Anybody aware about similar software functionality for other OSes?
How to use Linux's built-in USB attack protection
https://www.zdnet.com/article/how-to-use-linuxs-built-in-usb-attack-protection/ [zdnet.com]
Re: (Score:3)
usbguard is fine for experts but they used to have management GUIs and then abandoned them so now you have to do all management manually. Even here on slashdot there are users who would struggle with this. I for one just don't want to be bothered. If I were to plug in a mysterious USB device (unlikely) I would hook it up to a pogoplug, since they are cheap. I would say raspi, but you can't even get those... but you can get a used pogo
Re: (Score:2)
I still don't get why someone would pick up a random USB device they find laying around.
Curiosity.
Are you so broke you can't afford to buy your own USB drive so you're hoping to take this one home and use it?
I wouldn't mind a free high-capacity USB stick. Of course, the ones you find lying around are usually not that. I remember when I got my first 128MB stick, I thought it was huge :)
Re: (Score:2)
I still don't get why someone would pick up a random USB device they find laying around.
well, people wouldn't if they had seen these ducks in action, that's the point of them.
other than that, besides the many ways you can get a person to use a thumb drive via deception or social engineering, this vector is also useful for the attacker if he can get physical access to a target machine, even if just a few seconds.
people being gullible or naive is indeed a problem but not the root cause here: usb mounting in inherently insecure. however that is far too expensive to fix at this point, once you hav
Re: (Score:2)
sorry, bad quote.
Re: For Linux systems: USBGuard (Score:2)
What exactly are you expecting to find?
Satoshi Nakamoto's Bitcoin stash.
Re: (Score:2)
After hooking it up to a Pogo Plug what would you do to establish trust? Would you just use it to transfer a file that is supposed to be on it or go to it? I can see that being a challenge for anything beyond file transfer.
Re: (Score:2)
I'd probably benchmark it. If the results are slow then at best I don't want it, and possibly it's just pretending to be a proper mass storage device.
Re: (Score:2)
Whitelisting every USB device is just as practical as email address whitelisting. It absolutely will work for secure environments but not your everyday joe.
Re: (Score:3)
Not even that. I unplug your keyboard, plug it into my tool, read out the PID and VID, clone them to my device, plug it in and your system thinks my keyboard spoofer is the keyboard.
There is no foolproof way to do it. People need to effin' keep an eye on their machines when someone else is around.
This should have been plugged *long* ago (Score:3)
If there is an existing keyboard, and a new one suddenly appears, require confirmation from the user. Not very difficult.
Likewise for any other device.
Re: (Score:3)
Will that actually protect many users from a simulated keyboard? The RubberDucky can change its identification strings, so for example it could say use a Dell ID or even rotate through various manufacturer ID strings. It is hard to just whitelist a single device ID for a keyboard because it could break, and even a handful of "recovery" devices would be limited to true SCIF systems.
More juvenile than ever (Score:1)
Yes, yes, very nice proof of concept. But the execution and presentation remain immature sensationalism through and through. As if designed to be as little helpful as possible for maximum attention, so as to draw out "cyber security" consulting opportunities out for maximum "consultant" gain.
There really is no need for that sort of job security (=="rent") seeking, there's plenty enough work for plenty capable people.
Re: (Score:2)
There really is no reason to try for job security in security. If you're not a complete idiot who is just faking it (and yes, these people unfortunately exist, mostly because managers have zero clue and are completely buzzword-compliant), headhunters are kicking down your door anyway.
Re: (Score:2)
Indeed. The job market for anybody with some actual skills in IT security is great and I guess people that fake it still have a pretty good chance. The last few headhunters I just told my daily rate if they wanted me to interview. Things have gotten more quiet now.
Why do they find this interesting? (Score:2)
Re: (Score:2)
Because it's a neat gimmick for shock-and-awe presentation to C-Levels.
I wish I was kidding.
Re: (Score:2)
Because it's a neat gimmick for shock-and-awe presentation to C-Levels.
I wish I was kidding.
Don't wish you were kidding, It's great to have something on hand that can get people to actually take security in general seriously. When you're talking to C-level you need shock-and-awe to get them to notice an issue they kept ignoring.
Re: (Score:2)
I'd prefer them to understand the problem. But I guess with C-Levels and other children, you better put your money on spectacular magic tricks.
Re: (Score:2)
The higher you are the more abstract your understanding needs to be. The only thing they need to understand is that underinvesting in IT security can have catastrophic consequences.
That's it. The very last thing you want is a C-level with a deep level of understanding actually helping come up with a solution. That's not their job.
Re: (Score:2)
Because it's a neat gimmick for shock-and-awe presentation to C-Levels.
I wish I was kidding.
I know that you are definitely not kidding. The problem is product vendors often lie by misdirection to C-levels and the C-levels typically do not notice because many thing they are a lot smarter than they actually are. So the other side also lies by misdirection. This device is one of the tools used.
Re: (Score:2)
Pros aren't going to fall for it
I think you are wrong about that.
People who are given high level credentials aren't necessarily more security aware than the average person. I've known loads of people who had access to useful data who didn't know much at all about how domain security works, or even user level security. Same for people who have access to financial information or even the ability to move money around.
Getting value from a device like this isn't limited to cracking a security professional's machine, or even an IT profess
Re: (Score:2)
Bonus ducks! (Score:2)
Bonus ducks [youtube.com]!
Back to the good old days (Score:2)
Of per-device dip switch settings inside the pc chassis.
You can do this in software of course. Most stuff has serial numbers that are more or less unique to each device, so you can lock out keyboards, mice, etc that aren't on your whitelist (maintained as a sticky note the admin has under his keyboard).
I've done stuff like that to disambiguate usb to serial dongles that talked to different pieces of hardware and would make symlinks like /dev/gizmo1 and /dev/gizmo2 without relying on things to show in the co
Still not really dangerous, though (Score:2)
I mean you do _not_ let people plug in stuff you do not know into an USB port on your computer.
Dangerous? Not really. (Score:3)
Try typing stuff on a normal keyboard on some random computer and see what happens. 99% of the time nothing useful because either the focus is on a window that doesn't accept keyboard input or there's no focus at all. Or its at a login/lock screen/prompt.
The only place where this might be of use is surreptitious use in a server room where servers are in a known input state. But then if someone can break into a server room to do this why would you need it in the first place? Just plug in a keyboard and get on with the hack.
Comment removed (Score:5, Informative)
USB Driver needed (Score:4, Interesting)
"You have just plugged a new keyboard into your system. Please enter the following CAPTCHA into this device to authorize its use."
This Has No Valid Use (Score:2)
I'm sure it's use and possession is already against a number of laws. But I'm sure if this becomes a problem the designers and manufacturers will have to answer some tough legal questions.
Still requires human stupidity to enable its use (Score:3)
Of course one thing is always true: if you can get physical access to a system, you can do almost anything to it. Nothing new there.
Re: (Score:2)
This isn't a problem for the security folk but I can definitely see it being a problem out in the SMB + larger non-international corporate environments...during pentest season of course! There are easier ways in f
No USB ports to be a new feature? (Score:2)
All kidding aside, can a company like Apple or Samsung get the EU to approve USB ports that offer limited access unless proprietary USB devices are inserted?