Duckhunting – Stopping Rubber Ducky Attacks

One morning, a balaclava-wearing hacker walks into your office. You assume it’s a coworker, because he’s wearing a balaclava. The hacker sticks a USB drive into a computer in the cube next door. Strange command line tools show up on the screen. Minutes later, your entire company is compromised. The rogue makes a quick retreat carrying a thumb drive in hand.

This is the scenario imagined by purveyors of balaclavas and USB Rubber Duckys, tiny USB devices able to inject code, run programs, and extract data from any system. The best way — and the most common — to prevent this sort of attack is by filling the USB ports with epoxy. [pmsosa] thought there should be a software method of defense against these Rubber Duckys, so he’s created Duckhunter, a small, efficient daemon that can catch and prevent these exploits.

The Rubber Ducky attack is simply opening up a command line and spewing an attack from an emulated USB HID keyboard. If the attacker can’t open up cmd or PowerShell, the attack breaks. That’s simple enough to code, but [pmsosa] has a few more tricks up his sleeve. Duckhunter has a ‘sneaky’ countermeasure feature, where one out of every 5-7 keystrokes is blocked. To the attacker, the ‘sneaky’ countermeasure makes it look like the attack worked, where in fact it failed spectacularly.

There are a number of different attacks similar to what the Rubber Ducky can accomplish. Mousejack performs the same attack over Bluetooth. BadUSB is a little more technical, allowing anyone with access to a device’s firmware to turn your own keyboard against you. Because of the nature of the attack, Duckhunter shuts them all down.

Right now the build is only for Windows, but according to [pmsosa]’s GitHub there will be Linux and OS X versions coming.

Filed under: security hacks

from Hackaday http://ift.tt/2dSEA2T
via IFTTT