Despite the repeated warnings of system administrators, IT personnel, and anyone moderately aware of operational security, there are still quite a few people who will gladly plug a mysterious flash drive into their computers to see what’s on it. Devices which take advantage of this well-known behavioral vulnerability have a long history, the most famous of which is Hak5’s USB Rubber Ducky. That emulates a USB input device to rapidly execute attacker-defined commands on the target computer.
The main disadvantage of these keystroke injection attacks, from the attacker’s point of view, is that they’re not particularly subtle. It’s usually fairly obvious when something starts typing thousands of words per minute on your computer, and the victim’s next move is probably a call to IT. This is where [Krzysztof Witek]’s open-source Rubber Ducky clone has an advantage: it uses a signal detected by a SYN480R1 RF receiver to trigger the deployment of its payload. This does require the penetration tester who uses this to be on the site of the attack, but unlike with an always-on or timer-delayed Rubber Ducky, the attacker can trigger the payload when the victim is distracted or away from the computer.
This project is based around the ATmega16U2, and runs a firmware based on microdevt, a C framework for embedded development which [Krzysztof] also wrote. The project includes a custom compiler for a reduced form of Hak5’s payload programming language, so at least some of the available DuckyScript programs should be compatible with this. All of the project’s files are available on GitHub.
Perhaps due to the simplicity of the underlying concept, we’ve seen a few open source implementations of malicious input devices. One was even built into a USB cable.
A Remote-Controlled USB Rubber Ducky Clone
I wonder if it works reliably for the author. in my experience these syn480 modules are just terrible. for some reason even the crappy LC tuned ones with a comparator will outperform them (and yes, I tuned both the receiver and transmitter with a vna). maybe all of the ones I tested were clones so that’s why they worked so terribly. the syn115 transmitter was not better.
Honestly i had also issues with it ,with the clones especially
“Despite the repeated warnings of system administrators, IT personnel, and anyone moderately aware of operational security, there are still quite a few people who will gladly plug a mysterious flash drive into their computers to see what’s on it.”
Trick is to find an enemy and try it on their computers, preferably the one’s that control centrifuges.
About 15 years ago at the corporate office of a large insurance company in Illinois an employee brought in a flash drive that had a fun game on it. The employee played the game during breaks and lunch time. Other employees saw it and borrowed the flash drive to try the game and copy it. Soon IT was getting calls of crashing computers that started escalating. A pattern emerged and IT found they were a few steps behind as the calls spread across a department and worked its way to other sections of the building and seemed to spread through the network. iT shut down the entire network overnight, removed suspicious files from network servers, reloaded a multitude of desktops and back tracked the spread to one office. The next day top office meetings were held halting all work to instruct on new security procedures. It was found that the “fun” game has come from a local high school which weeks before had gone through a similar event. So whenever I buy a new external drive I always format it and virus scan it on an old junk laptop just to be sure. This all brings to mind that age old warning from mom…”don’t put that in your mouth…you don’t know where it’s been”. Same goes for USB devices.
Similar thing happened to me. Years ago someone called the IT desk and said a printer was printing lots of blank pages. I went to the que and stopped it. Then I went to the printer and indeed there were hundreds of pages not completely blank, but they had random characters on the page, not many, maybe 2 or 3. I chucked the paper and printing resumed.
Exactly 24 hours later the same thing started happening! I again stopped the que and went to the user and asked her what she was trying to print. She said nothing, I’m at lunch. Exactly 24 hours later again the same thing happened. This time I went to the user and asked her why she was printing. She said I’m at lunch, I’m not printing. I said you must be doing something, she said: all I did was to bring this floppy from home because it has a game and it does not work at home, so I tried it here. The “game” was a virus that worked only in networks and it would do precisely that, it would start printing junk on the network printers! Yikes! Our boss was not happy and flipped were forbidden after that(USB was either too early, or too expensive back then)
Back then, it was the big cheeses with kids that always had infected machines.
Eventually, we convinced them to upgrade their machines and let the kids have the old ones.
Imaged the drives and taught them how to restore.
The kids weren’t happy, every restore wiped out their pirated games.
We told them to come get pirated games from us, but useless talk.
Well, if it does nothing when plugged, it´s unlikely it would be left hooked on the computer, no?
You’re very optimistic of the general userbase
Just but IT in a nice enclosure wirh a Screen that shows “Hi Dave” when plugged in.
Probably the hacker would plug it in him(/her)self while the user was AFK and the system was locked. After that it’s just waiting for or creating the right moment.
My thoughts exactly – in the scenario where the unwitting user just puts the drive in to check what is on it, he will as likely take it out if there is nothing interesting there.
Conceal it in a hub.
It seems a very narrow increase to the threat model if you have to be close enough to tell when they’re away/distracted but can’t just stick it in yourself.
Do you though, there are radar that can detect the presence of large bags of water moving past. It has even reached the stage where you could add a low resolution camera check remotely
The attack isn’t visible unless the rubber ducky was incompetently configured.
It’s all a non-problem (for the rubber ducky user anyhow).
Perhaps a flicker, similar to some window installers that take a fraction of a second to hide their command windows.
If the malicious code immediately does something to raise attention, it wasn’t that bad.
A very easy way to get it to stay plugged in longer is to making it present as a storage device with very slow access times, but with file names that are intriguing. If the physical device’s exterior looks like it’s had a rough life most people would assume that could be why it’s so slow. At some point after being plugged in an pretending to be just barely fast enough that the OS doesn’t consider it an IO error, simulate unplug+replug, but this time as a human interface device and start doing bad things with your mad keyboard skills.
Device could also include some sensors to attempt to detect if human has left the computer.
This is a cool concept in theory but has zero practicality. Ignoring the fact that it’s bulky, nobody is going to leave the USB plugged in once they see nothing is on it. Even so, having to be within BT range whilst the computer still being logged in and the person not paying attention or at their station (which requires visual LOS,) just doesn’t seem like a solid plan.
Somebody above said plug it in, and then you can remotely run it at the right opportunity. I feel like it’s hobbyists in these comments, because anybody with sense would absolutely just execute the powershell then and there and remove the device.