This morning, Lucidity presented a security workshop for patrons of our local business association. We delivered a presentation on how to improve your Cyber security position, and we demonstrated a little piece of technology called a Rubber Ducky. I thought this is probably worth writing about, as it’s a very real way hackers can get access to your systems and quite often, security protection software won’t even know its happened, let alone stop it.
I think most people think this type of stuff only happens on TV programs, but after I saw this presented at an IT forum a couple of months ago, I had to get my hands on one to see if they really are as ‘tricky’ as I saw demonstrated.
A Rubber Ducky is a USB key that looks like any other USB key; but instead of storing your files, it essentially pretends to be a keyboard and can type anything you want it to at record speeds. These things are available online, and there is an entire community of people wiring nefarious scripts that this little device can execute to do anything from delete data, copy your data to the cloud, steal passwords and wifi credentials, encrypt your files.. there’s hundreds of different scenarios.
You can now buy rip off versions of this also from online providers like AliExpress for a few NZ dollars. A little bit trickier to program, but nothing that complex.
The device when plugged in to a computer pretends to be a keyboard. It exploits a loop hole that most end user computing devices (PC’s, MAC’s, tablets, phones) trust a keyboard or mouse when plugged in to the USB port without any prompting or notifications. To the computer the key is plugged into, it just assumes a new USB keyboard has been plugged in. Then, the keyboard starts typing – and this is where the trouble begins. In a few seconds, if your device is unlocked, the Rubber Ducky can start system utilities and start doing nasty things.
Below is an example video of a rubber ducky plugged in to a standard Windows 10 laptop. Within seconds, its launched PowerShell on the device and started typing out a piece of code that uploads data to DropBox. It then starts copying the data off the laptop into a DropBox account we created to demonstrate this vulnerability. It doesn’t download anything, it doesn’t trigger your antivirus software, it does nothing more than type: but what it types illustrates how quickly something nasty can be run on your computer without you even knowing.
It took me about 30-40 minutes to get my head around this thing, find a website that allows you to program it to do all sorts of things, create a dummy DropBox account, and I was away. For the purpose of the demo, I haven’t coded in anything to try and hide the activity, but that would have taken little more effort to launch the window and then shrink it so It can’t be seen.
Check this out:
Imagine if someone with one of these keys walked in to your business, asked the receptionists for a drink of water, and then slipped one of these devices in to the USB port of their computer. Would your receptionist have locked their PC before they got up from their desk?
This is purely a demonstration of what can be done with one of these devices. We’ve made it obvious that it’s executing code and uploading data, but with a few more commands, we can hide the window that’s running the code and most people wouldn’t even know it’s happening. This is not something Lucidity condone or promote, this is just an article/video to make you aware of this kind of attack.
If the computer in this video was at the Lock Screen, this exploit couldn’t have executed when I plugged in the USB key. Do your team members lock their PC every time they leave their desks?
At Lucidity, we build device policies to stop this kind of thing executing nasty stuff on your computers.
Get in touch with Lucidity if you think we can help you better secure your IT platform.