How to detect a USB Rubber Ducky?

Three weeks ago my company ordered a lot of hardware (real hardware, not IT-related) from China.

Today, the warehouse girl comes to my office and says that, mixed in the stuff, she found a white USB drive saying "Lihuiyu Studio Labs 2012.10.25"

usb drive

Curious, I had a reaction like "YAY! A free USB drive! Let's see what's inside!" and stupidly plugged in my main machine, and I was shocked to discover that it's detected as an USB HID and keyboard.

Paralyzed from the shock, I waited 20-30 seconds before removing it.

Nothing happened on screen, an USB Rubber Ducky-like device should show something on screen, right? There is no way that it has compromised our company system with some lightspeed commands impossible to see at naked eye, right?

Primary question:

Is there any way to protect Windows systems from USB devices like this?

We need to plug hundreds of different USB drives every week, so removing/disabling USB support is not an option

Secondary question:

How can I see what this USB device is really doing?

Magnetic_dud

Posted 2012-12-12T11:14:12.950

Reputation: 3 210

8If it's a programmed keyboard, no matter if autorun is diasbled, it can run any command AND bypass UAC – Magnetic_dud – 2012-12-12T12:32:34.903

Yes, I think the commands will be visible – Magnetic_dud – 2012-12-12T13:41:51.743

3@James, why in the world would they be visible? A command can delete files, create them, send emails, open a backdoor to your system. None of this would cause a window to pop up on your screen. – terdon – 2012-12-12T13:43:06.113

@Magnetic_dud, not if they are run as services or simply with no GUI right? – terdon – 2012-12-12T13:44:05.223

@James, I see, thanks. Still there must be a way of running commands with no visual output even on windows, surely! – terdon – 2012-12-12T14:24:25.013

The simple solution is stop ordering parts from China or scan each device before its approved to be used. I have no idea what a "USB Rubber Ducky" is exactly. – Ramhound – 2012-12-12T14:52:10.897

A USB Rubber Ducky is a USB HID device with which "anyone is able to craft payloads capable of changing system settings, opening back doors, retrieving data, initiating reverse shells, or basically anything that can be achieved with physical access -- all automated and executed in a matter of seconds."

– RedGrittyBrick – 2012-12-12T15:18:00.683

People put USB labels like that on there because other people are nosey and want to see what it does, so they are more inclined to plug it in. Update your virus software and scan your computer. – cutrightjm – 2012-12-13T01:18:27.313

1There is nothing that could be done to protect Windows systems from USB devices like this? Sure, don’t plug in anything suspicious. Maybe that’s too obvious. How I could see what this USB device is really doing? Use a quarantined honeypot instead of a connected, production system. Again, perhaps too obvious; forest for the trees sort of thing… – Synetech – 2013-10-27T18:44:04.353

Answers

There's no danger with inserting this device in your computer. It's just a dongle for a laser engraver software suite named WingraverXP supplied with some budget laser machines. I have one of the machines and it's supplied with an identical USB stick.

Estwick George

Posted 2012-12-12T11:14:12.950

Reputation: 56

1If I was a computer cracker, I would put a rubber ducky into a case, that would encourage you to plug it in. – ctrl-alt-delor – 2016-09-25T13:39:22.933

No no no no no!!! please DON'T listen to this answer! terdon is correct. I can't believe this is marked as the answer...

– MiaoHatola – 2017-03-05T19:53:35.427

Cool, I got a free dongle for a software for controlling a machine that I don't own :) – Magnetic_dud – 2013-01-02T15:07:09.583

11Thank goodness no one's invented a way to put more than one type of device into the same type of casing, or to program devices to do more than one thing. – Rob Moir – 2013-03-01T08:36:43.620

In a similar vein to what your mother may have told you as a young child about accepting packages from strangers, when you find a strange USB drive in a warehouse filled with Chinese screwdrivers, or whatever it happens to be, do not plug it in to a computer that is part of your company's network. Ever.

That is really the best way of "protecting Windows systems from USB devices like this". Having said that, as James said in the comments, the first and obvious methods of attack would be blocked by turning off the removable drive auto-run feature, but if someone really want to harm a computer, I am sure a talented hacker could do so without the auto-run enabled.

Next time you have a weird USB stick fall from the sky like that and you want to see what it is, you connect it to a computer that is not part of any network, has no internet connection and no critical data.

Now, chances are there is an irate docker somewhere on the shores of China lamenting the loss of his wireless keyboard, nothing nefarious was in the drive and absolutely nothing is wrong with your computer. As a general rule though, you don't connect strange devices to networks.

UPDATE

I don't think there is a way of actually detecting a rubber ducky. The good news is that the best known one does not look like the picture you posted. On the other hand, what the hypothetical USB fowl does depends entirely on its payload and cannot be predicted. There will, therefore, not be a rock solid way of checking since you cannot know beforehand what it attempted to do.

terdon

Posted 2012-12-12T11:14:12.950

Reputation: 45 216

I don't think there is a way of actually detecting a rubber ducky. - partially true. See my answer. – User42 – 2018-02-18T13:09:50.943

If your drive really identifies as a keyboard, the safest way to determine which keystrokes it sends, is probably a hardware USB keyboard logger. You can get those all over the internet, just google "usb keyboard logger".

Of course, this does not prevent the unidentified device from actually sending keystrokes to the system you are plugging it into, so you should not do this on a production system.

Since you probably don't want to disable support for USB HID and keyboard devices, I don't think there is anything you can do to prevent such attacks, other than not plugging untrusted devices into your machine.

EDIT: Since I am unable to comment on the other answers: Disabling auto run only prevents the automatic execution of files on the connected USB drive. However, if this device identifies as a keyboard, it will likely send keystrokes and not offer you files. Disabling auto run does not protect you against keystrokes.

Chris

Posted 2012-12-12T11:14:12.950

Reputation: 813

Keylogging, like with a passthru usb logger like KeyGrabber, is a good addition to the use of a safe-p0wnable device to test the found USB stick. – Rondo – 2016-05-13T22:26:08.413

Penteract Disguised-Keyboard Detector

It locks the screen when it detects a keyboard has been connected.

User42

Posted 2012-12-12T11:14:12.950

Reputation: 180

This software seems to have been removed from the Microsoft Store. – Chris – 2020-02-25T14:15:17.600

@Chris Strange. It's still there for me (US region). But maybe because I have it installed? I don't think so because I can see it on the web too. – User42 – 2020-02-26T16:19:15.300

I can see it now as well. Maybe it was just a temporary error on the Microsoft servers but the link to the store returned an error message when I tried it 2 days ago. – Chris – 2020-02-28T09:04:54.323