Rubber Ducky attacks

Key takeaways

• USB Rubber Ducky attacks use USB devices that imitate keyboards to inject keystrokes that can execute commands, install malware, or alter system settings within seconds.
• Unlike traditional malware, there is no file to scan or quarantine, making it invisible to antivirus software and most conventional security tools.
• The Rubber Ducky stands apart from other USB-based attacks like BadUSB or USB baiting because it requires no stored files. It operates entirely through emulated keystrokes.
• Detection requires behavior-based monitoring and attention to unexpected input patterns.
• Prevention requires a layered approach—USB device allowlisting, privilege reduction, physical port controls, and user awareness.

What is a USB Rubber Ducky attack?

A USB Rubber Ducky attack is a hardware-based malware intrusion. A regular USB flash drive is designed to be recognized as a keyboard when plugged into a computer, so that it can automatically execute pre-programmed keystrokes at high speed. These keystrokes can be codes that perform malicious actions such as downloading payloads, changing settings, or stealing information. A USB ducky relies more on deception than code exploitation.

Unlike typical malware, there’s no software to scan or quarantine. The computer simply sees a trusted keyboard input. This makes the attack incredibly stealthy and fast, often completing before a user can even notice that something malicious is afoot.

Origin of the USB Rubber Ducky

The USB Rubber Ducky was created by Darren Kitchen, founder of Hak5, a cybersecurity and penetration testing company. Kitchen originally developed the keystroke injection concept around 2010 as a personal productivity tool, a way to automate repetitive IT tasks like fixing printer configurations and network shares. The device was never designed with the intent of being used as a weapon. It became one when the security community recognized its potential as a penetration testing tool.

Hak5 released the first commercial version of the USB Rubber Ducky in 2011, along with DuckyScript 1.0, a minimal scripting language with just a handful of commands. Despite its simplicity, the device quickly became a fixture in penetration testing kits and gained wider cultural recognition through appearances in TV shows and films. A significant update arrived in 2022 with the Mark II hardware revision and DuckyScript 3.0, which introduced a full structured programming language with variables, conditionals, loops, and OS detection capabilities.

Today, the USB Rubber Ducky is sold commercially by Hak5 and is used legitimately by security researchers, penetration testers, and IT professionals worldwide. But the same device that is used to demonstrate vulnerabilities in authorized security assessments is also being used maliciously.

How Rubber Ducky works

The Rubber Ducky attack works by exploiting the inherent vulnerability of how computers treat USB keyboards as trustworthy by default. A typical USB device mounts like storage media. But a USB device with the Rubber Ducky firmware declares itself a Human Interface Device (HID). So, the computer immediately allows it to send keystrokes, no questions asked.

This process is driven by USB enumeration—the handshake that happens the moment any USB device is plugged in. During enumeration, the operating system queries the device for its class descriptor. When the device declares class 03h (HID), the OS loads the appropriate keyboard driver automatically, without prompting the user, because the OS has no built-in way to distinguish a legitimate keyboard from an emulated one at the hardware level.

So, once the USB device is recognized as a HID, it:

• Sends a pre-loaded sequence of keystrokes to the operating system.
• Opens command-line interfaces (CLIs), browsers, or applications automatically.
• Executes commands to modify settings, download files, or create new user accounts.

This process of execution is called keystroke injection. The device delivers a burst of pre-programmed inputs to the target machine at speeds far beyond what any human could achieve, typically hundreds of keystrokes per second. Because the OS treats every keystroke as coming from a trusted input device, no security prompt is triggered.

Examples of a USB Rubber Ducky attack

A Rubber Ducky attack can happen anywhere physical access to a machine is possible. Here are some common scenarios:

Example 1: The unattended workstation

An employee leaves their laptop unlocked during a quick coffee break. An attacker plugs in a Rubber Ducky device that silently opens a terminal, creates a hidden user account, and adds it to the administrators group. By the time the employee returns, the attack is complete.

Example 2: The giveaway and baiting traps

At a trade show, free USB drives are offered as promotional gifts. Or USB drives are intentionally left in public places. These may contain Rubber Ducky devices that, when connected, quickly download reconnaissance scripts or open browser tabs leading to phishing sites.

Rubber Ducky payload explained

A Rubber Ducky payload is a sequence of scripted actions the device is programmed to execute once it's recognized by the computer as a keyboard. They are written in DuckyScript, a simple scripting language purpose-built for the Rubber Ducky platform. DuckyScript lets attackers define key sequences, delays, and conditional logic. The script is compiled and flashed onto the device's microcontroller before deployment, so no script files are stored on the device itself during the attack, as the keystroke injection happens entirely through the HID channel.

Here are simple real-life examples that illustrate what a typical payload is designed to do:

• Identity check: The device runs a command, retrieves the name of the currently logged-in user, and closes the window almost instantly.
• Grab-and-go reconnaissance: The device briefly displays and records visible drives or network interfaces to understand the environment.
• Stealth persistence attempt: The device performs a very small configuration change intended to establish long-term access to the system.
• Credential probe: The device opens credential-related panels or dialogs to determine what stored information may be accessible.
• Link-and-redirect: The device opens a browser window to a specific webpage that fingerprints the machine, often appearing as an unexpected tab.

How Rubber Ducky differs from other USB-based attacks

There are many USB-based attacks, and often, they all sound similar. Here's a quick look at how different USB-based attacks exploit different system behaviors:

• Bad USB: Modifies the firmware of legitimate USB devices to make them perform malicious actions (e.g., act as network adapters or mass storage devices). Unlike Rubber Ducky attacks, bad USB often involves reprogrammed legitimate devices rather than purpose-built HID tools.
• USB drop attack: Relies on social engineering, where attackers leave infected drives in public hoping someone plugs them in. The infection typically happens via stored malware files, not injected keystrokes.
• USB baiting: Similar to USB drop attacks but with psychological manipulation—the device might be labeled employee salaries or confidential report to entice a victim. Again, the payload resides on the drive, not in emulated keystrokes.

The USB Rubber Ducky stands apart because it doesn’t need to store or transfer files at all; it simply uses HID keyboard emulation to impersonate a keyboard and executes instructions instantly, bypassing most malware detection methods. And because it operates over the HID channel rather than the storage channel, it leaves no file footprint for antivirus tools to scan, making it one of the dangerous malware intrusion techniques in use.

How to detect and stop Rubber Ducky attacks

Detecting signs of a Rubber Ducky attack

Detection is challenging because the operating system sees the device as a legitimate keyboard. However, security teams can still identify unusual patterns such as:

• Extremely fast or repetitive keystroke injection activity.
• CLIs or PowerShell windows opening without user interaction.
• Sudden USB HID connection events followed by script or process launches.
• Endpoint detection and response (EDR) tools showing new device logs paired with system changes.
• Windows Event Logs recording a new HID device class during USB enumeration, particularly when no keyboard was visibly connected.

Preventing attacks before they happen

The most effective defenses address both human factors and system vulnerabilities, some of which include:

• Restrict USB ports: Use device control software to block new HID devices or allow only approved ones.
• Reduce privileges: Revoke administrative rights from users who don't need them to perform their duties. This limits what injected commands can do.
• Use port blockers: Physically cover unused USB ports in public or shared spaces.
• Train users: Educate users to follow a strict device usage policy.
• Deploy behavior-based protection: Enable EDR tools that detect abnormal input rates and new HID activities.

Responding to a suspected incident

If a Rubber Ducky attack is suspected:

• Immediately isolate the affected machine from the network to prevent lateral movement and data exfiltration.
• Do not reboot the machine, as volatile memory (RAM) may contain evidence of running processes or injected commands that a restart would destroy.
• Preserve USB connection logs. Specifically, check Windows Event Logs for Event ID 2003 and 2100 or Linux syslogs for HID device registration events tied to the attack window.
• Pull EDR telemetry data for the relevant timeframe and look for any particular processes like cmd.exe, powershell.exe, or wscript.exe that ran around the same time for analysis.
• Check for persistence mechanisms like new scheduled tasks, registry run keys, new local accounts, or dropped files in temporary directories.
• Reimage the device if compromise is confirmed. Do not trust the machine after a successful keystroke injection attack.

Frequently asked questions