RISK ASSESSMENT RATING: 6.00
How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.
While maybe not well-known in non-security circles, the Rubber Ducky is an InfoSec favorite due to its low price, ease of use, and general quality. The tool is prevalent and accessible enough to qualify as a fairly popular rogue device.
The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.
Between the pre-built nature of the device and the the community forums that provide support and tips, the Rubber Ducky qualifies as one of our more n00b-friendly devices. However, this is still a device that doesn’t just plug and go; it does requires some knowledge to use and deploy properly.
The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.
The Rubber Ducky, used by an expert in the right setting, can be extraordinarily detrimental – with data storage capabilities and a sleek outer appearance, it fits right into the standard office setting. More impressively, the tool and community allow even a fairly inexperienced user to cause a dent in an organization’s security. All of that ease of use and professional polish only gets the user as far as USB HID spoofing can get you – which can be very far in poorly segmented “tootsie pop” systems, or when executed on an administrator’s system; or not particularly far when faced with an appropriately secured computer or network.
The techniques and hardware needed to perform USB HID spoofing attacks with hobby grade microcontrollers has been fairly common knowledge since at least 2010, but the homebrew nature of most of these devices has kept their numbers relatively low. While it doesn’t take much technical knowledge to construct a functional USB HID spoofing device, putting together a polished and reliable tool that doesn’t look suspicious plugged into a computer is another matter entirely.
Seeing the need for a standardized and professional keystroke injection tool, the team at Hak5 came up with the Rubber Ducky: an easily scriptable USB HID spoofing dongle that is externally indistinguishable from a standard USB flash drive. Beyond the hardware itself, Hak5 has also created a community around developing and sharing scripts for the Rubber Ducky; greatly improving its adaptability and likelihood of success when compared to homebuilt devices.
- CPU: AT32UC3B1256 32 Bit AVR @ 60MH
- I/O: Type A USB, JTAG
- OS: Open Source, scripts written in Duckyscript
- Storage: MicroSD
- Supported OSes: Windows, Linux, Mac OS, Android, iOS
The most obvious difference between the Rubber Ducky and homebrew solutions is its outward appearance; rather than being a collection of cobbled together circuit boards, the Rubber Ducky looks exactly like a USB flash drive. Plugging it into a computer and leaving it connected looks normal in nearly any setting. The ability to hide in plain sight is a huge advantage for a tool like this, and could easily mean the difference between success and failure for an attacker.
The Rubber Ducky is designed to stay hidden: through the use of composite firmware on the device, it’s possible for it to emulate a USB keyboard while at the same time making its MicroSD card available to the host operating system as a USB storage device. This helps keep the Rubber Ducky hidden: not only does it look like a flash drive, it actually works like one. Equally important, it gives the Rubber Ducky a place to store extracted files on and launch exploits from, opening up numerous possibilities beyond simple keystroke injection.
Programming the Rubber Ducky is made exceptionally easy through the use of “Duckyscript”: a simplistic scripting language not unlike Windows “Batch” files. With Duckyscript, the user only needs to know a handful of plain-English commands to program the hardware; a big improvement over the type of low-level programming necessary to inject keystrokes with a bare microcontroller. Not that any programming is actually required to use the Rubber Ducky: there’s a web-based “Duck Toolkit” which will let users generate a Duckyscript file based on their selected presets, and even a forum and Wiki dedicated to collecting community created scripts.
Compared to the microcontroller-based, homebrew keystroke injectors that came before it, the Hak5 Rubber Ducky is an exceptionally polished device. From the build quality to the software environment and community, the Rubber Ducky takes the best parts of the independent projects that came before it and turns them into a cohesive final product. The importance of a standardized hardware and software platform for keystroke injection experimentation and research can’t be overstated and, at under $50, Hak5 has made entry into the field very affordable.
But for all its advanced features and polish, the Rubber Ducky still can’t escape the reality of keystroke injection. Authentication on the target machine will stop the Rubber Ducky in its tracks, and even a single unexpected dialogue popping up can completely derail the attack. So while it may be a well designed and supported product, its real-world effectiveness is still very much up for debate.