March 21, 2015

We have been using those in our assessment for quite a while, but we are still impressed how easy it is to compromise complete networks by just someone plugin in this USB stick as part of a social engineering assessment.

Back in the days an executable file was placed on a USB and once plugged into a machine auto-run executed it. Microsoft has since stopped the auto-run on newer OS versions, so you rely on users to click or open a payload, it must be crafted for the exact OS and so on. A pain.

Not with Rubby Ducky. Rubber Ducky recently helped us to compromise a lot of MacBooks at an audit, along with Microsoft Windows 8 machines and Admin Linux desktops. Why is it so easy? Well, because rubber ducky emulates a keyboard rather than executing a program. That means to the machine the ducky is inserted in, it’s like a user typing things, enabling the camera from the CLI, opening a reverse shell. This is what makes it so hard for OS’ to defend themselves against it.

We recently did a social engineering audit at a large insurance company. One of our ladies simple went to the non-restricted coffee break out area at the reception and put out 10 USB sticks with different tags on them such as: GRAB ME – I AM FREE or MANAGEMENT CONFIDENTIAL or LATEST 2015 EMPLOYEE PAYROLL. Guess what? All 10 USBs were taking within 15 minutes and only 2 hours later 8 of the 10 employees who took this “free gift” had inserted it into their machines and opened them up to us via reverse shell.

This once again shows that no defense is of any good, if employees plug in USBs they find in the coffee place. Now this was a large insurance company. Imagine private users in a Starbucks? Scary.

Those things cost around $45 USD each. Imaging a real hacking group purchasing 100 of them for malicious purposes.

We can only warn again and again. Don’t plug any USB sticks into your devices. Especially not ones you don’t know where they came from!


Comments are closed.