The rubber ducky is back and better than ever.
The much-loved hacking tool has a new incarnation, released to coincide with theDef Con hacking conference this year, and creatorDarren Kitchen was on hand to explain it to The Verge. The latest edition is more dangerous than ever according to the tests we did.
The rubber ducky looks like a flash drive. When it's plugged into a computer, it sees it as a keyboard and accepts commands from the device just like a person would.
Kitchen said that it takes advantage of the trust model built in, where computers have been taught to trust humans. A computer knows that a human clicks and writes.
The original Rubber Ducky was released over a decade ago and became a fan favorite among the hacking community. The newest Rubber Ducky makes a leap forward with a set of new features that make it much more flexible and powerful than before.
There are so many possibilities with the right approach.
The previous versions of the Rubber Ducky were capable of carrying out attacks such as creating a fake Windows pop-up box to steal a user's login credentials or sending all saved passwords to an attacker's website. These attacks were not able to work across platforms because they had to be crafted for specific operating systems.
The new Rubber Ducky wants to overcome these limitations. It ships with a major upgrade to the Duckyscript programming language, which is used to create the commands that the rubber ducky will enter into a machine. Duckyscript 3.0 is a feature-rich language that allows users to write functions, store variables, and use logic flow controls.
The new Ducky can run a test to see if it is plugged into a Windows or Mac machine or if it is connected to the wrong machine. Variable delay between keystrokes can be added with the help of pseudorandom numbers.
It can steal data from a target machine by sending it through signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up, and it can also do it in a way that's even more impressive. An attacker could plug it in for a short time and then take it back with their passwords.
Most people aren't at risk of being a target due to the need for physical device access.
The Rubber Ducky sold out on the first day of the conference, and Kitchen said it was his company's most in-demand product. It's safe to say that hundreds of hackers have one, and demand will likely continue for a while.
It comes with an online development suite that can be used to write and build attack payloads. It is easy for users of the product to connect with a broader community: a payload hub section of the site makes it easy for hackers to share their work, and the Hak5 Discord is active with conversation and helpful tips.
It is too expensive for most people to distribute in bulk, so it is not likely that someone will leave a few of them in your favorite cafe. Think twice about plugging in a device that you found in a public place.
There are a few things that could trip you up if you don't know how to write code. After making the Ducky identify itself with a different Apple keyboard device ID, I was able to get the Ducky to open the launch pad.
I was able to write a script so that when plugged in, the Ducky would automatically launch Chrome, open a new browser window, and quickly close it, all with no input from the user. Not bad for a few hours of testing, and something that could be easily modified to do more harm than good.