Code Quacks: What is a Rubber Ducky USB?

Believe me or not, but a rubber duck is a powerful term in cybersecurity, and not because hackers have a thing for bath toys, simply because of a device known as the Rubber Ducky USB. Sounds nice and cute, but it is often used by hackers, both ethical and not very “ethical”. This device looks like a regular flash drive, but instead of storing files, it acts as a keyboard that can quickly type out pre-programmed commands as soon as it is plugged in. (I shared a demo below).

Since operating systems automatically trust keyboards as input devices, Rubber Ducky can run commands without raising security alarms.

The way it works is simple yet effective. Rubber Ducky uses a scripting language called Ducky Script. This script allows it to open a terminal, type commands, and execute tasks super fast.

This simple script demo shows how Rubber Ducky can act like a keyboard, opening a notepad and typing out pre programmed commands when plugged in. While this demo is harmless, it follows the same logic used in real attacks. Instead of typing a friendly message, an attacker could modify the script to execute harmful commands. (Please remember it is for educational purposes only). Thanks! :)

DELAY 1000
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 1000
STRING This automated script comes fr0m a Rubber Ducky.
ENTER
STRING Ethical hackers use such tools t0 test security vulnerabilities.
ENTER
STRING be careful plugging unknown USB devices

DELAY 1000 Waits for one second after the USB is plugged in to make sure the system is ready to receive commands.

GUI r Simulates pressing Windows + R to open the Run dialog (on macOS, this could be changed to COMMAND SPACE to open Spotlight).

DELAY 500 Waits half a second to ensure the Run dialog opens.

STRING notepad Types (notepad) into the Run dialog.

ENTER Presses Enter to launch Notepad.

DELAY 1000 Waits for Notepad to open.

STRING Types out a message.

ENTER Moves to the next line.

STRING Types another message.

ENTER Moves to the next line.

STRING Types a security reminder.

Since many security solutions focus on detecting software-based threats, they often ignore hardware-based attacks. Ethical hackers use devices like Rubber Ducky for pen-testing (to test how resistant a system is, we can say, mimicking an actual attacker’s actions). It is fast and convenient.

One common way ethical hackers use this device, is by testing how an organization handles unauthorized USB inputs. By plugging a Rubber Ducky into a system, they can test if security policies prevent external devices. If it successfully runs a script, it reveals that the system is vulnerable to hardware based attacks. Thus, security teams can then improve their defenses by applying stricter USB restrictions, disabling ports, or requiring user authentication for new input devices.

Another important use of a Rubber Ducky in penetration testing is simulating phishing attacks and credential theft. Ethical hackers can program it to automatically open a command prompt, extract saved passwords from web browsers, or capture keystrokes typed by a user. This is simply the power of automation.

The Rubber Ducky is also used to test endpoint security by seeing whether an organization's detection tools can recognize and block such behavior. Since the device does not install malware, security software that relies only on virus scanning may not flag it as a threat. If these tools fail to respond, then obviously, there is a gap in the security defenses. And it is also important to note, that many cyberattacks come from within an organization, where employees have physical access to systems.

The effectiveness of the Rubber Ducky as a penetration testing tool comes from its ability to demonstrate real-world attack scenarios without needing deep technical expertise.

This type of attack does not require advanced hacking skills. Someone could easily leave an infected USB lying around in an office or marking it as a giveaway at an event. Now if we imagine the scenario, where an unsuspecting person plugs it into their computer, the script will run immediately, running harmful commands without them realizing it. Within seconds, their device could extract sensitive data, install hidden software, or create a secret backdoor for the hacker to access later or simply delete an operating system like a “Killer USB”.

One of the best ways is to limit USB access is by blocking unauthorized devices from connecting to computers. Some companies disable USB ports entirely on work computers to remove the risk. Security teams can also use software that detects unusual keyboard activity, such as an abnormally fast typing speed.

apollynary

4,070 followers

View more on Instagram

Remember that learning how attacks are executed is the first step on knowing how to defend against them. Even though in this attack, it might be impossible to restore, let’s say, breached data from affected device. Knowing this will help to prevent this, at least. You should always have a backup by the way!

So stay cyber-safe and do not plug random USBs into your device!

Best,

Polina Moshenets