RubberDucky, the famous USB hacking tool, has a new, more dangerous version.
Darren Kitchen revealed RubberDucky 3.0 at DEF CON, proving the famous danger is still alive.
The major change is in DuckyScript, a harmful programming language. Earlier versions could only write keystroke sequences, but this version’s language allows for functions, variables, and if-then-else controls.
One of the product’s main drawbacks is that users have to tailor their commands to work with specific OSes and versions of software; with these updates, that should no longer be an issue. To put it another way, previous versions of RubberDucky were considerably less adaptable than version 3.0.
The revised utility detects if it’s connected to a PC or Mac and acts accordingly. By encoding information in binary and sending it through keyboard signals, it can steal data from a hacked endpoint.
The attacker need just insert the USB disc for a brief time to grab the credentials.
The name of the gadget may strike fear in computer users, but it’s a physical thing that’s useless without direct access to the machine it’s supposed to target. Widespread adoption is unlikely. A single device costs over $60, making it unlikely that thieves would buy and distribute hundreds to cafés and libraries to steal credentials.
However, prominent people should exercise caution while being handed USB devices (or finding one, anywhere).