Do NOT Plug This Into Anything – Hak5 Rubber Ducky

[TannerMcCoolman]

The Hak5 Rubber Ducky is a dangerous hacking tool that disguises itself as an unassuming USB flash drive. It delivers payloads by injecting keystrokes while appearing to its host system as a regular old keyboard.

Buy the Hak5 Rubber Ducky here: https://shop.hak5.org/products/usb-rubber-ducky

[SignatureSigner]

If you plug random flash drives into your computer you had it coming.

 

[jawsconrad]

If anyone is looking for a way to combat this, there is a great software vendor that protects against rubber duckies. At my job, we use an application called ThreatLocker to protect all of our client's machines. ThreatLocker is an allow-listing software that blocks EVERYTHING from running unless there is a rule on the server side that explicitly allows it. Great tool for all MSPs and IT Departments to have. They even gave us a rubber ducky to use as a marketing tool for their software! Cybersecurity Tools, Allowlisting, Ringfencing | ThreatLocker Inc

[ForboJack]

23 minutes ago, SignatureSigner said:

If you plug random flash drives into your computer you had it coming.

 

Never underestimate the lusers. Remember even stupid af spam mails works or it wouldn't be so widely used.

[Sarra]

38 minutes ago, ForboJack said:

Never underestimate the lusers. Remember even stupid af spam mails works or it wouldn't be so widely used.

Idiot Proof and Idiots have been locked in an eternal struggle for supremacy. My $5 is on the idiots winning, in the end. D:

[CT854]

1 hour ago, SignatureSigner said:

If you plug random flash drives into your computer you had it coming.

 

1 hour ago, ForboJack said:

Never underestimate the lusers. Remember even stupid af spam mails works or it wouldn't be so widely used.

23 minutes ago, Sarra said:

Idiot Proof and Idiots have been locked in an eternal struggle for supremacy. My $5 is on the idiots winning, in the end. D:

 

It's really tempting to label the kind of person who could fall for something like this to be an idiot, but, like, are we forgetting that even experienced people can make mistakes and have lapses in judgement?

 

I mean, seriously. There's more than one way a vulnerability can exploit a user, and I remember this plausible anecdote from a YouTuber doing an ad spot for a password manager -- he received a login notification after a long day from an unknown location and was going to "log in" to the site, but realized it was a phishing site when said manager didn't suggest to fill in the login fields. Whether that story was real or not, it's something that literally could happen to anybody. And I don't think anybody here can honestly say that they've never made a mistake or had a lapse in judgement, no matter how experienced or disciplined you are. You don't become an expert by never making mistakes.

 

So can we please collectively stop equating "scam victim" with "idiot"?

[Nystemy]

These HID based attacks are rather common for more targeted attacks. And devices like these have been out in the wild for a long time.

 

And to be fair, this device isn't that abnormal. Nor is it really "facilitating a tool", yes it marginally lowers the bar. But people have stuffed microcontrollers into keyboards for this exact type of attack for a long time.

 

There has likewise been discussions about how to trust human interface devices and validate them, and these discussions started long before attacks like these became practical.

 

But there just isn't a good solution.

Printing a string on screen for the user to type is a simple solution. But not without a laundry list of issues.

Audio is even worse, since the attacking device can just have a microphone.

And asking the user to remember more passwords is fairly inept in practice.

A decent solution is for the OS to ignore new HID devices as long as the "trusted" ones are still connected.
And ask the end user if they trust this new device. _{(and of course one should be able to have as many trusted devices connected simultaneously as one desires.)}

_{(If one's keyboard dies and one goes to get a new one, then just unplug the old one and the new will now be the only available keyboard, so the OS has no choice but to trust it. Though, the HID attacker can just crash the USB driver and hope it gets recognized before the other keyboard.)}
 

In the end.

The best solution is pure awareness.

[Rex Hite]

At my shop we plug customers' USB keys into  our order-taking PC without giving it a second thought. it's a thing that has to get done.

It's just business; the money we make taking in the work vs the risk of infecting an isolated PC. It's not even a question.

 

[Kid.Lazer]

29 minutes ago, CT854 said:

So can we please collectively stop equating "scam victim" with "idiot"?

I agree with your sentiment, to an extent. Unfortunately, the types of attacks you're referring to usually result from a user's lack of mental wherewithal to NOT provide "insert-typically-legitimate-thing" to "insert-usually-safe-place."

 

Here's an analogy: Drunk driving is stupid, and it should never be done. But once you're inebriated, you have lost the ability to make proper decisions. However, the drunk person's current state of mind does not negate the fact it would still be a stupid action to hop in a car.

 

Likewise, the people that fall for cyber attacks are usually either rushed or mentally worn down from a long, hard day which greatly lowers their ability to make proper decisions, even if they would do so normally. So again, their current mental state does not negate the fact they still did a really stupid thing, be it providing passwords to a phishing site, or plugging in questionable USB devices.

[Sarra]

30 minutes ago, CT854 said:

It's really tempting to label the kind of person who could fall for something like this to be an idiot, but, like, are we forgetting that even experienced people can make mistakes and have lapses in judgement?

It's not meant to dunk on anyone specifically, it's just that no matter how foolproof you make something, the Universe will come up with a better fool.

 

I've done stupid things. But, I can honestly say, over the last 10 years, I only once downloaded malware unintentionally, and I realized as soon as I had, so I just nuked the system and started over.

[AlexQC]

I wonder which antivirus (if any) can stop them...

[CT854]

3 hours ago, Sarra said:

It's not meant to dunk on anyone specifically, it's just that no matter how foolproof you make something, the Universe will come up with a better fool.

I don't think we disagree on this, but the whole narrative of "you have to be an idiot to fall for these scams lulz" is pretty tired and it's easy to fall into that rhetoric even if you do ultimately understand that it's, well, not just idiots that fall for it.

 

Nuance is important and care should be taken, is all.

[Zodiark1593]

6 hours ago, CT854 said:

 

It's really tempting to label the kind of person who could fall for something like this to be an idiot, but, like, are we forgetting that even experienced people can make mistakes and have lapses in judgement?

 

I mean, seriously. There's more than one way a vulnerability can exploit a user, and I remember this plausible anecdote from a YouTuber doing an ad spot for a password manager -- he received a login notification after a long day from an unknown location and was going to "log in" to the site, but realized it was a phishing site when said manager didn't suggest to fill in the login fields. Whether that story was real or not, it's something that literally could happen to anybody. And I don't think anybody here can honestly say that they've never made a mistake or had a lapse in judgement, no matter how experienced or disciplined you are. You don't become an expert by never making mistakes.

 

So can we please collectively stop equating "scam victim" with "idiot"?

Someone pulling very long shifts and are fatigued, are quite a bit more likely to have lapses in judgment. 
 

I wonder if attackers also take into account the work schedule, and potentially even a guess of the workers’ mental state before investing in an attack. 

[AussiePanda]

Awesome video like usual. Does anyone know how they were able to get their PC benchmark setup payload to download multiple files. I’ve been playing around with a rubber ducky equivalent (Arduino Leonardo based bad USB) and have only been able to get one file to download and execute. I haven’t been able to find a way to download multiple files either separately or in a folder (chrome, malwarebytes, discord, steam —> all setup .exes I want to quickly get on a computer). 

[IkeaGnome]

3 hours ago, CT854 said:

Nuance is important and care should be taken, is all.

This. People forget that shit happens. 

In September I was in and out of hospital with mental health issues. Staying in a hotel because I couldn't quite go back out to work yet, but wasn't going to be out of work long enough to justify plane tickets to go home.

I got a call from the "front desk" saying they put my card in wrong when I checked in and they needed to verify my card number. I had stayed at that hotel many times. Even after going back and forth a while offering to go down to the front desk I still gave it out. I knew better. I spent about 10 minutes arguing about it. I was tired and I was exhausted. I gave my card number anyways.

[dogwitch]

14 hours ago, SignatureSigner said:

If you plug random flash drives into your computer you had it coming.

 

just like are sponsor pulse wave!!!

[Sarra]

12 hours ago, CT854 said:

I don't think we disagree on this, but the whole narrative of "you have to be an idiot to fall for these scams lulz" is pretty tired and it's easy to fall into that rhetoric even if you do ultimately understand that it's, well, not just idiots that fall for it.

Mm, true. I think I should have been more along the lines of 'no matter how careful you are, some butthole will engineer a more appealing, crafty, and devious method to trick you into doing what they want'.

[jawsconrad]

15 hours ago, AlexQC said:

I wonder which antivirus (if any) can stop them...

We found from experience that not many antiviruses can stop them; you need a deny all software in most instances. This is mainly for the enterprise space, but we use ThreatLocker to accomplish this. The reason that it is so hard to stop a rubber ducky is that it won't be explicitly known by say, Norton or McAfee that it is malicious software. The flaw with that software is that it relies on "definitions" of what is good and bad. If something is not in its definition of bad, it will often allow it.

[Isuck Assimov]

you can get equivalent microcontrollers for literally a tenth of the price of a real hak5 rubber ducky btw, even though the user experience is probably a lot besser on the OG

[Radium_Angel]

The only usb sticks I leave laying about work are USBKill sticks.

We need new hardware anyway 

[Sarra]

2 minutes ago, Radium_Angel said:

The only usb sticks I leave laying about work are USBKill sticks.

We need new hardware anyway 

lolwat

 

Is your username at work some variation of 'JobInsurance'?

[Radium_Angel]

51 minutes ago, Sarra said:

lolwat

 

Is your username at work some variation of 'JobInsurance'?

Heh,

 

I work for the gov't. My job (in IT) is classified as "mission critical" and as such, I *cannot* be fired.

For anything short of murder (I know, I looked into it. And as an "amusing" aside, the guy I replaced was because he had murdered his wife, so he lost his job. Make of that what you will.)

 

[Sarra]

53 minutes ago, Radium_Angel said:

Heh,

 

I work for the gov't. My job (in IT) is classified as "mission critical" and as such, I *cannot* be fired.

For anything short of murder (I know, I looked into it. And as an "amusing" aside, the guy I replaced was because he had murdered his wife, so he lost his job. Make of that what you will.)

 

Well, I know who not to cross paths with, then. Hah.

 

You actually got me wondering if Enterprise servers have protections against USBKill devices. Not sure I've got a security clearance high enough to know the answer, but it would still be interesting to know.

[Radium_Angel]

3 hours ago, Sarra said:

Well, I know who not to cross paths with, then. Hah.

 

You actually got me wondering if Enterprise servers have protections against USBKill devices. Not sure I've got a security clearance high enough to know the answer, but it would still be interesting to know.

The gear we use does not.

[Zodiark1593]

11 hours ago, Radium_Angel said:

Heh,

 

I work for the gov't. My job (in IT) is classified as "mission critical" and as such, I *cannot* be fired.

For anything short of murder (I know, I looked into it. And as an "amusing" aside, the guy I replaced was because he had murdered his wife, so he lost his job. Make of that what you will.)

 

A dark alley is friendlier than a gov IT guy.