What Is A USB 'Rubber Ducky'?

Who knew rubber duckies could have a sinister meaning? No, not yellow rubber duckies that float in the bathtub. The rubber ducky that you plug into a computer's USB port, like a flash drive, that is designed to impersonate a keyboard. In reality, it houses what's called a payload, or malicious code, that injects a keystroke attack. In other words, when you plug it into a USB port, it tricks the computer into thinking it's a keyboard, but instead it delivers pre-programmed keystrokes to achieve a task, in seconds. This is called keystroke injection and it's one way to hack modern devices. Before you know it, your computer or device is executing commands that you have no control over.

How is that even possible? A rubber ducky deploys code, loaded onto the USB drive, from a programming language called Ducky Script. When plugged in, the drive automatically executes the code, achieving whatever the attacker wanted to do. It can be any type of storage device, even repurposed old USB drives. It works because to a computer, a keyboard is inherently trusted — it's a peripheral the computer automatically recognizes. The rubber ducky abuses that trust, like a vampire asking to enter your home, only the home is your computer. There is a silver lining. Rubber duckies are often used by ethical or white-hat-hackers, the "good guys," like cybersecurity professionals and researchers learning how to defend against this kind of attack. Even so, that doesn't mean a rubber ducky couldn't be used for nefarious activities.

It's frightening to know you can plug in a regular-looking USB drive and suddenly your computer is taken over. That's why cybersecurity experts say you should always avoid plugging in unknown devices, like if you find a USB drive laying around. If it's a rubber ducky, loaded with malicious code, it could be used to bypass security and authentication, create remote access backdoors, steal data, modify connected networks, and alter your system by modifying registry keys or disabling firewalls.

Within seconds, the ducky code can open PowerShell — an administrative toolset — create a new administrative user with system-level access, and start causing damage, all without you noticing. As long as a ducky has that access, it can download more code, give hackers remote control, wipe hard drives, steal data, monitor you, and record keystrokes, the latter of which could be used to gain access to your online accounts. It's scary stuff.

But it's not something that occurs without the USB drive or storage device being physically plugged in first. It can also happen if you plug into a compromised public USB port, which is why you should avoid public USB charging ports altogether. That's also why the TSA warns travelers about a dangerous iPhone setting that enables "juice jacking" via USB port. If you're not plugging in, or into, unknown devices, the threat is minimal. Moreover, don't give storage devices you use to strangers as they can load the drive with malicious code before giving it back.