2018-02-18

How to block a USB Rubber Ducky / BadUSB

Synopsis

In order to block a USB Rubber Ducky (or any other covert keyboard) have your screen automatically locked when any keyboard is connected. Penteract Disguised-Keyboard Detector does just that.

Expansion

Today, anyone who wants to gain access to your computer need only order a "USB Rubber Ducky" online, and load it with their payload. Then they can leave it somewhere where you'll find it and when you insert it into your computer to examine it, it will send commands to your computer as if the attacker is sitting at your keyboard. This happens even if you have turned off Autoplay.

Penteract Disguised-Keyboard Detector addresses that threat by locking the screen when a keyboard is detected. If you meant to connect a keyboard - just go ahead and type in your password to unlock it. If not - the disguised keyboard will not be able to run commands on your computer any more than a person sitting by your locked screen.

Traditionally, the advice for protecting from this kind of attack was mainly to avoid connecting any USB device of unknown source. But that's not always practical, nor is it in your hands. If you're responsible for a company's computers, you can't ensure that no one will insert a rogue USB device and infect the company's network. Another way suggested is by whitelisting or blacklisting devices. Besides being of limited practicality, it might be circumvented by spoofing device IDs.

aka: Stop USB Rubber Ducky - Defend against USB Rubber Ducky - Block BadUSB
Terms of Use