Hak5's new USB Rubber Ducky, unveiled at the Def Con hacking conference in Las Vegas, is more effective than ever, thanks to the inclusion of a new structured programming language (DuckyScript 3.0) that allows it to execute more sophisticated hacks.
The beloved hacker tool can now pwn you with its own programming language:
To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard — which means it accepts keystroke commands from the device just as if a person was typing them in.
"Everything it types is trusted to the same degree as the user is trusted," Kitchen told me, "so it takes advantage of the trust model built in, where computers have been taught to trust a human. And a computer knows that a human typically communicates with it through clicking and typing."
[...] The newest Rubber Ducky [...] ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that).
[...] Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.
[...] It also comes with an online development suite, which can be used to write and compile attack payloads, then load them onto the device. And it's easy for users of the product to connect with a broader community: a "payload hub" section of the site makes it easy for hackers to share what they've created, and the Hak5 Discord is also active with conversation and helpful tips.
Shouldn't this be fairly easy to block by something like the OS requiring user confirmation to connect a communications device ("Do you want to connect this keyboard?")? [hubie]
(Score: 2) by pkrasimirov on Sunday August 21 2022, @06:57PM (3 children)
"Do you want to connect this keyboard?"
"Da."
(Score: 4, Insightful) by mhajicek on Sunday August 21 2022, @08:46PM (2 children)
"Press F1 to continue."
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 5, Funny) by Gaaark on Sunday August 21 2022, @08:52PM (1 child)
Heh: that's like when i used to use Windows. During an install, there was no driver for my modem so Windows asked if i'd like it to go online and download a driver.
I was like "Ummmm.... sure. You do that.....how?" :)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by turgid on Monday August 22 2022, @09:54AM
Everyone has like about 12 spare modems obviously.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Insightful) by maxwell demon on Sunday August 21 2022, @07:29PM (8 children)
How do you answer that question if the only keyboard attached to the computer is the very keyboard you've just attached on USB?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Interesting) by choose another one on Sunday August 21 2022, @07:39PM (2 children)
My first thought too... however thinking more carefully, under what circumstances is that going to happen? - only if the keyboard you _were_ using is unplugged or disabled somehow. That is a lot more noticeable, surely?
And if the is a previous keyboard you were using before, why not ask for confirmation from that keyboard to use a new one (another PITA user-approval thingy, but...)?
(Score: 4, Informative) by mhajicek on Sunday August 21 2022, @08:49PM (1 child)
If I'm switching keyboards, it's because I spilled my beverage on it and it's acting up. Happens about once every five years. Could ask for keyboard confirmation to accept a new mouse, or mouse confirmation to accept a new keyboard.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 1) by aafcac on Monday August 22 2022, @01:28AM
Spilling shouldn't be much of an issue beyond it getting sticky and possibly ant infested. At least for many modern membrane keyboards. It's probably more of an issue for older style ones that have that nice clickety clack from actual switches that probably get messed up by liquids.
(Score: 2, Interesting) by pTamok on Monday August 22 2022, @07:41AM (4 children)
To authorise the connection of a new USB device, type the following on an already attached keyboard, or enter the following on an already attached mouse or trackpad, or take a picture of this QR-code and display it to the built-in, or already attached, camera. You could probably do something with microphone input as well.
(Score: 2) by maxwell demon on Monday August 22 2022, @08:36AM (1 child)
That all assumes that some input device is attached when the keyboard gets attached.
But the QR code example gave me an idea: Display a random key and ask to enter that key on the very keyboard you want to authorize. An USB stick won't be able to read the key off the screen. Also, you'd get an automatic visual feedback telling you a keyboard got attached, so if the device you attached isn't actually a keyboard, you immediately know that something is fishy and can immediately remove the newly attached USB device (which might do other damage besides acting as keyboard, so removing it ASAP is a good idea even if its keyboard functionality is successfully blocked).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by maxwell demon on Monday August 22 2022, @08:41AM
I just noticed that I probably should clarify one point in my post:
Here with "key" I of course don't mean "key on the keyboard" like "the escape key", but a string of alphanumeric letters, like a registration key.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by pTamok on Monday August 22 2022, @11:25AM (1 child)
Note to self: always, always, ALWAYS use Preview. Sigh.
I had some ‹variable› text enclosed in less-than and greater-than signs and didn't escape them, or use the single angle quotation marks (guillemets) "‹›", so some of the meaning of my previous posting was lost.
Essentially, as a later poster pointed out, requesting a auto-generated random sequence (or pseudo-random) on a different, already attached and therefore presumably trusted, input device such as another keyboard, a mouse or trackpad (click the buttons in a sequence), a camera reading a QR-code that you took a picture of, or maybe an audio input to the microphone would make spoofing a new keyboard difficult.
(Score: 2) by maxwell demon on Tuesday August 23 2022, @06:10AM
And my point was that this fails if there is no other input device attached. However it is absolutely safe if the code is entered at the newly attached (and not yet trusted) keyboard, as the spoofed keyboard would not be able to get at the code.
You might fear the device simply brute-forcing the code, but that is easily avoided by rate-limiting the typing to what a human could do.
Also, you could limit the number of allowed tries, and after that you'd need to disconnect and reconnect the keyboard to try again. While the disconnect/reconnect could be simulated in hardware, the complete USB negotiation would have to be repeated (causing an additional, rather severe rate limiting), and more importantly, a new random code would be generated.
Additionally, the reconnecting itself could also be rate limited (as a human physically reconnecting a keyboard needs some time that would not be a problem for legitimate keyboards). Say to at most twice a second.
With those measures, just six alphanumeric characters should give sufficient security.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 5, Insightful) by hendrikboom on Sunday August 21 2022, @07:37PM
So effectively, this keyboard acts like a real USB drive would if you had told your computer to autorun any USB drive you plug in.
So we want an autorun option for a plugged-in keyboard and mouse, so we can turn it off.
But then we need to be able to tell the computer that what we've plugging in is the real keyboard?
Yes, I can imagine methods.
Perhaps ignoring any keyboard unless it enters the right user name and password?
Perhaps sending your cell phone a six-digit random number to type in on the newly plugged-in keyboard?
-- hendrik
(Score: 3, Insightful) by Anonymous Coward on Sunday August 21 2022, @09:18PM
No. If bad-actors can read the password on the post-it, you've got bigger problems. ie, anything that could confirm the keyboard as legit is going to cause just as many problems for legit users. See also, UEFI, secure boot, etc.
Said before, and will say again, at some point the mitigation of "insider threats" has to come down to hiring good people and trusting them. You can have the best security apparatus in the world. It doesn't mean anything if it's in the hands of a dictator and/or infested with bad actors.
(Score: 0) by Anonymous Coward on Sunday August 21 2022, @11:31PM
https://www.youtube.com/watch?v=Mh85R-S-dh8 [youtube.com]
(Score: 4, Interesting) by darkfeline on Sunday August 21 2022, @11:38PM (1 child)
Simple solution as always, don't insert untrusted items into your computer. (Tangentially, same thing goes for your body.) USB wasn't designed for that use case (e.g., no software can prevent a malicious device from frying your USB port and possibly your motherboard).
Join the SDF Public Access UNIX System today!
(Score: 1) by ShovelOperator1 on Monday August 22 2022, @03:40PM
But do we really TRUST the keyboards?
Won't we wake up with exploitable keyboards in every home, as we have woken up with "this-will-be-secure" UEFI, locked ROMs in PDAs, security cameras with root hardcoded passwords and prohibited communication protocols?
Blinking keyboard LEDs is one of the oldest things done by more advanced keyboards to get data from the computer. I have my programmable keyboard which gets its program from these signals. I found it when I had a secondary keyboard connected with pass-through - it was even possible to capture what data is being sent, although the manufacturer was so convenient that they just gave the source code for the driver/utility in the driver's disk. In QBASIC. But we have woken up with unauditable drivers for nearly every device.
(Score: -1, Spam) by Silverwing500 on Monday August 22 2022, @01:35AM (2 children)
Is no one aware, that this is an aristarchus sub, slipping through the ban and blockade?
(Score: 0) by Anonymous Coward on Monday August 22 2022, @02:07AM (1 child)
Only aristarchus would know that.
(Score: -1, Spam) by LittleWing on Monday August 22 2022, @06:24AM
Curious. If true, why would he advertise it? Attracting Spam mods?
(Score: 0) by Anonymous Coward on Monday August 22 2022, @04:36AM (1 child)
If you have a text editor open and the window active, would this thing just type the commands into it?
(Score: 4, Informative) by maxwell demon on Monday August 22 2022, @05:42AM
Not if the first thing it types is Win+R (assuming it is a Windows computer).
The Tao of math: The numbers you can count are not the real numbers.