A rubber ducky is just an adorable little bathtub toy for children, right? Well, it used to be, but now, this seemingly innocuous label has been applied to a potentially nefarious hacking tool. The rubber ducky looks like any other USB flash drive, but when you insert the rubber ducky, the computer perceives a keyboard, and it allows that “keyboard” to enter a host of preset keystrokes.
Theoretically, this tool is for penetration testing. Security experts can use rubber duckies to test the resiliency of their computers systems. But hackers can also use the rubber ducky for keystroke injection attacks, and there are all kinds of tips and instructions online to help them. To protect your bank from this threat, here’s what you need to know.
Keystroke Injection Attacks
Computers have certain built-in safeguards against flash drives, and they don’t automatically run programs from these devices. In contrast, most computers intuitively trust keyboards. When they receive a keystroke from a keyboard, they assume that a trustworthy user is putting in those keystrokes and they follow the directions.
In light of that, if you put in a rubber ducky into a computer, the rubber ducky can tell the computer to take all kinds of actions including the following:
- Go to a certain website and download malware or ransomware.
- Pull up a website with code that puts a “backdoor” into your system, giving hackers the entrance they need to manipulate accounts or commit other types of fraud.
- Launch an app or a reverse-shell program, allowing the hacker to track the keystrokes you enter so they can steal usernames, passwords, and other critical details.
- Delete, add, or steal files.
- Change server settings to route your online banking customers to a malicious site that steals their information.
This list is just the tip of the iceberg. The potential of these devices is really only limited by the creativity and technical acumen of their users.
Converting Traditional Thumb Drives to Rubber Duckies
Clever hackers don’t even need a rubber ducky. They can start with a traditional thumb drive and convert it to a rubber ducky. To do that, they need to change the class codes of the device so the computer reads the thumb drive as a keyboard. Then, they need to download apps that let them get rid of the device’s firmware, and finally, they need to enter new scripts so the rubber ducky can do their bidding.
Implementing an Attack
To implement an attack with a rubber ducky, the hacker has to physically put the flash drive into a computer or convince someone else to do it. If there is a computer in your financial institution that is not in a locked office and a hacker is able to put in a flash drive, it takes between five seconds and a minute for the computer to recognize the drivers. Once recognized, the rubber ducky can enter keystrokes at a rate of up to 1,000 words per minute. That can wreak a lot of havoc quickly.
Alternatively, the hacker may try to convince one of your bank’s employees to put in the USB drive. For instance, they may send the drive to your human resources representative. They may include fake labels and paperwork claiming that the rubber ducky contains a demo for HR software. To see the demo, your HR rep puts the thumb drive in the computer, and at that point, the rubber ducky takes all the information about your employees and sends it to another computer.
To give you another example, imagine a hacker pretends to apply for a loan. He hands a rubber ducky to your loan officer and says that it is a thumb drive containing files related to his income. Completely unaware of the potential for disaster, your loan officer puts in the thumb drive. They can see a couple files that look like income verification details, and they save those files. However, at the same time, in the background, the rubber ducky is quickly installing a backdoor in the system. The “loan applicant” never returns, but his hacker friends use the back door to steal funds from your bank.
The rubber ducky is just the beginning. There are all kinds of inexpensive hacking tools on the market, and the internet is full of tips and ideas on how to use them. If you want to protect your financial institution, you need top notch security solutions. To learn more, contact us directly. At SQN Banking Systems, we focus on making security as easy as possible, so our clients can focus on running their banks, credit unions, and other financial institutions.