You find a USB drive labeled “CEO Salary 2026” in the parking lot. Curiosity wins. You plug it in. Within three seconds, your passwords vanish. You clicked nothing. You approved nothing. What happened?
This is the classic “Candy Drop” scenario that security professionals use to demonstrate one of the most elegant attack vectors in modern penetration testing. While organizations spend millions on firewalls, intrusion detection systems, and endpoint protection, the USB Rubber Ducky bypasses all of it by exploiting something far more fundamental: the implicit trust computers place in keyboards.
Your operating system has no firewall for keyboard input. If you can type it, the OS will execute it. The USB Rubber Ducky weaponizes this architectural trust by masquerading as a Human Interface Device rather than a storage drive. It hacks systems by mimicking the one peripheral your computer is programmed never to question.
The threat is not theoretical. According to Honeywell’s 2024 USB Threat Report, 51% of malware attacks are now designed specifically for USB devices, a six-fold increase from 9% in 2019. State-sponsored threat groups including China’s Camaro Dragon and Russia’s Gamaredon actively leverage USB devices as primary infection vectors. In Q1 2025 alone, one in four cybersecurity incidents handled by industrial response teams involved USB plug-and-play events.
This guide breaks down the mechanics, hardware ecosystem, scripting language, real-world attack scenarios, and defensive countermeasures every security practitioner needs to understand.
Understanding HID Spoofing: The Foundation of Keyboard Attacks
Technical Definition: HID Spoofing occurs when a USB device identifies itself to the host computer as a Human Interface Device (specifically a keyboard or mouse) rather than a mass storage device. The operating system accepts this self-declaration at face value because USB device enumeration relies on trust rather than verification.
The Analogy: Picture a bank robber wearing the uniform of a high-ranking security guard. The vault opens because the uniform (the Device ID) is inherently trusted. Nobody verifies the person inside the uniform. The USB Rubber Ducky operates on identical principles: it wears the “uniform” of a keyboard, and every operating system opens the vault.
Under the Hood: When the Rubber Ducky connects to a target machine, a precise handshake sequence unfolds in milliseconds. The device announces specific identifiers that determine how the operating system responds.
| Phase | Action | Technical Detail |
|---|---|---|
| Connection | Physical USB insertion | Device provides power draw signature |
| Enumeration | Device announces identity | Sends Vendor ID (VID) and Product ID (PID) as generic HID Keyboard |
| Driver Load | OS loads input drivers | Standard HID drivers activate automatically (no user prompt) |
| Trust Establishment | System accepts input | All subsequent keystrokes treated as legitimate user input |
The critical vulnerability lies in Phase 3. Operating systems (Windows, macOS, and Linux alike) automatically load standard HID keyboard drivers without requiring user permission. This design choice enables plug-and-play convenience for legitimate peripherals but creates an exploitable trust gap for malicious devices.
Pro-Tip: Organizations that implement “Disable USB Storage” policies believe they are protected. They are not. That policy blocks mass storage devices exclusively. A device announcing itself as a keyboard passes through without inspection because it never claims storage capability.
Keystroke Injection: Speed Weaponized
Technical Definition: Keystroke injection is the automated delivery of pre-programmed keyboard commands at superhuman speeds, frequently exceeding 1,000 words per minute. The technique transforms physical access into remote code execution by typing commands faster than any human could.
The Analogy: Imagine hiring the world’s fastest typist, handing them a specific script, and having them execute it the exact millisecond they gain keyboard access. That typist works for three dollars and never makes mistakes. That is what keystroke injection delivers.
Under the Hood: Once the operating system recognizes the “keyboard,” the Rubber Ducky sends digital scan codes representing specific keypresses. These codes follow the USB HID specification exactly. The OS cannot distinguish them from legitimate human input.
| Scan Code Type | Example | System Response |
|---|---|---|
| Modifier Keys | GUI (Windows key), ALT, CTRL | Opens system functions, triggers shortcuts |
| Alphanumeric | A-Z, 0-9 | Types characters into active window |
| Special Keys | ENTER, TAB, ESC | Executes commands, navigates interfaces |
| Combinations | GUI + R, CTRL + SHIFT + ESC | Triggers system dialogs, opens Task Manager |
The attack sequence typically follows a predictable pattern. First, the device opens a command interpreter (Run dialog, Terminal, PowerShell). Second, it types a payload, often a single command that downloads and executes malicious code. Third, it closes the window to eliminate visual evidence.
Critical Insight: The entire attack completes before most users register that anything happened. The Run dialog opens, commands type, and the window closes in under five seconds. Screen recording remains the most reliable forensic artifact.
The Hardware Ecosystem: Selecting Your Attack Platform
Security professionals have multiple hardware options for HID attacks. Each platform offers distinct advantages depending on engagement requirements, budget constraints, and operational security needs.
Hak5 USB Rubber Ducky
The professional standard for HID attacks. The current generation supports DuckyScript 3.0 with advanced logic, conditional execution, variables, and automatic OS detection. The device uses internal storage for multiple payloads and resembles an ordinary USB thumb drive.
| Specification | Detail |
|---|---|
| Form Factor | Standard USB drive appearance |
| Scripting | DuckyScript 3.0 with variables, loops, conditionals |
| Storage | MicroSD card for multiple payloads |
| OS Detection | Passive fingerprinting of Windows, macOS, Linux in ~1 second |
| Advanced Features | Keystroke Reflection, jitter, VID/PID spoofing |
| Price Range | $60–$80 USD |
Best Use Case: Professional penetration testing engagements where reliability and advanced payload capabilities justify the cost.
O.MG Cable
A weaponized USB cable that appears identical to standard charging cables. The O.MG platform embeds HID attack capabilities within the cable connector itself, making detection through visual inspection nearly impossible.
| Specification | Detail |
|---|---|
| Form Factor | Standard USB-A, USB-C, or Lightning cable appearance |
| Scripting | DuckyScript compatible via Wi-Fi configuration |
| Storage | Internal flash for payload storage |
| Connectivity | Built-in Wi-Fi for remote triggering and payload updates |
| Stealth | Passes visual and X-ray inspection as legitimate cable |
| Price Range | $120–$180 USD |
Best Use Case: Social engineering assessments and supply chain attack simulations where the attack vector must survive physical inspection.
Flipper Zero
A multi-tool device that includes dedicated BadUSB functionality. The Flipper stores DuckyScript files internally and allows payload selection via its screen interface. The tradeoff is form factor: the device does not blend into corporate environments.
| Specification | Detail |
|---|---|
| Form Factor | Handheld device with screen (conspicuous) |
| Scripting | DuckyScript compatible |
| Storage | Internal storage for multiple payloads |
| Additional Features | RFID, NFC, Sub-GHz, infrared |
| Price Range | $150–$200 USD |
Best Use Case: Security research labs, demonstrations, and multi-vector testing where the additional capabilities justify the form factor.
Digispark ATtiny85 (DIY)
The budget option for security researchers. This $3-5 microcontroller can be programmed using the Arduino IDE to perform basic keystroke injection attacks. The tradeoff is limited scripting capability and no onboard storage for multiple payloads.
| Specification | Detail |
|---|---|
| Form Factor | Bare circuit board (conspicuous) |
| Scripting | Arduino C++ code |
| Storage | Hardcoded in firmware |
| Limitations | No advanced logic, single payload |
| Price Range | $3–$5 USD |
Best Use Case: Learning environments and proof-of-concept demonstrations where budget constraints are primary.
DuckyScript: The Attack Language
Technical Definition: DuckyScript is a domain-specific scripting language designed for keystroke injection attacks. The language abstracts USB HID scan codes into human-readable commands, enabling rapid payload development without low-level programming knowledge.
The Analogy: If USB HID is the machine language of keyboards, DuckyScript is the high-level programming language that lets you write “open calculator” instead of manually encoding scan code sequences.
Under the Hood: DuckyScript 3.0 supports variables, conditional logic, loops, and functions. This transforms the device from a simple keystroke recorder into a programmable attack platform capable of adapting to different target environments.
Basic Syntax Examples
Simple Command Execution:
REM Open Run dialog
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 1000
STRING This is a test payloadWindows Credential Harvesting:
GUI r
DELAY 500
STRING powershell -w hidden -enc <BASE64_PAYLOAD>
ENTERCross-Platform OS Detection:
IF (_HOST_OS == WINDOWS) THEN
GUI r
DELAY 500
STRING cmd
ELSE IF (_HOST_OS == OSX) THEN
COMMAND SPACE
DELAY 500
STRING terminal
END_IFKey Commands Reference
| Command | Function | Example Usage |
|---|---|---|
STRING | Types the specified text | STRING password123 |
DELAY | Pauses execution (milliseconds) | DELAY 1000 |
REM | Comments (not executed) | REM This is a comment |
GUI | Windows key / Command key | GUI r opens Run dialog |
ENTER | Presses Enter key | ENTER |
CTRL, ALT, SHIFT | Modifier keys | CTRL ALT DELETE |
Real-World Attack Scenarios
Understanding theoretical concepts matters less than recognizing how attackers weaponize these techniques in actual engagements.
Reverse Shell Establishment
The most common payload establishes persistent remote access. The attack opens PowerShell, downloads a reverse shell script from attacker infrastructure, and executes it in memory to avoid antivirus detection.
Attack Flow:
- Device opens PowerShell with hidden window flag
- Script downloads Meterpreter or Cobalt Strike beacon
- Payload executes in memory (fileless attack)
- Attacker receives callback with remote shell access
The entire sequence completes in 5-10 seconds depending on network speed.
WiFi Credential Harvesting
Windows stores saved WiFi passwords in plain text accessible via command-line utilities. A simple payload extracts all stored credentials and exfiltrates them.
The command netsh wlan show profile name=* key=clear returns every saved network name and its associated password. Attackers combine this with output redirection to encode and exfiltrate data via DNS queries or HTTP POST requests to attacker infrastructure.
Security Awareness Demonstration
Harmless payloads serve valuable training purposes. A script that rotates the display 180 degrees via CTRL + ALT + DOWN demonstrates the vulnerability without causing damage. Users who experience a “prank” attack remember the lesson far longer than those who only hear warnings.
Blue Team Defense: Stopping HID Attacks
Defending against HID attacks requires layered controls spanning physical security, endpoint policy, and behavioral detection.
Physical Layer Controls
| Control | Implementation | Effectiveness |
|---|---|---|
| USB Port Blockers | Plastic inserts requiring physical key removal | Prevents casual insertion |
| USB Data Blockers | Charge-only adapters blocking data pins | Allows charging without HID functionality |
| Workstation Positioning | Ports facing away from public access | Increases attacker visibility |
| Port Epoxy | Permanent port disabling | Extreme but effective for kiosks |
Endpoint Policy Controls
Operating system configuration can restrict which devices receive automatic driver loading.
Windows Group Policy Path:
Computer Configuration → Administrative Templates → System → Device Installation → Device Installation RestrictionsEnable “Prevent installation of devices not described by other policy settings” and whitelist approved keyboard hardware IDs.
Linux USBGuard Implementation:
| Command | Function |
|---|---|
sudo usbguard generate-policy > /etc/usbguard/rules.conf | Generate initial allowlist from connected devices |
sudo usbguard list-devices | Display all recognized USB devices |
sudo usbguard allow-device [id] -p | Permanently allow specific device |
sudo usbguard block-device [id] -p | Permanently block specific device |
sudo systemctl enable --now usbguard | Enable USBGuard service |
Example USBGuard Rule (Block HID devices with storage interfaces):
reject with-interface all-of { 08:*:* 03:00:* }
reject with-interface all-of { 08:*:* 03:01:* }Behavioral Detection
The most sophisticated defense monitors typing patterns for non-human characteristics. Legitimate users type at 40-80 words per minute with irregular cadence. HID attacks type at 1,000+ WPM with machine-perfect timing.
Detection Indicators:
| Indicator | Threshold | Response |
|---|---|---|
| Typing Speed | >200 WPM sustained | Lock workstation, alert SOC |
| Command Interpreter Launch | PowerShell/cmd within 5 seconds of USB insertion | Block execution, quarantine device |
| Keystroke Regularity | Zero variance in inter-key timing | Flag as automated input |
Several commercial EDR platforms (including CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint) include HID attack detection capabilities. Open-source implementations exist for organizations building custom detection stacks.
Pro-Tip: Effective defense combines all three layers. Physical controls deter casual attacks. Policy controls block unknown devices. Behavioral detection catches sophisticated attackers who bypass the first two layers.
Conclusion
The USB Rubber Ducky persists as an effective attack tool because it exploits architectural trust rather than software vulnerabilities. Patches cannot fix the fundamental design decision that keyboards receive implicit trust from operating systems.
Physical access translates to total access when defenders ignore HID attack vectors. The 2024-2025 threat landscape confirms this reality, with state-sponsored groups actively leveraging USB-based attacks against hardened targets and 51% of industrial malware now designed for USB delivery.
For penetration testers, HID attacks demonstrate impact that executive stakeholders immediately understand. For defenders, implementing layered controls (physical blockers, device whitelisting via USBGuard or Group Policy, and behavioral detection through EDR platforms) addresses the threat systematically.
The USB drive in the parking lot should stay in the parking lot. Build defenses assuming your users will plug it in anyway.
Frequently Asked Questions (FAQ)
Can antivirus software detect a USB Rubber Ducky attack?
Traditional antivirus solutions scan files for malicious signatures, but the Ducky is a keyboard, not a file. The device injects keystrokes that execute legitimate system commands. Endpoint Detection and Response (EDR) platforms offer better protection by flagging suspicious behavior patterns like terminal windows spawning and executing commands at superhuman speed.
Is owning a USB Rubber Ducky illegal?
Possession of HID attack hardware is legal in most jurisdictions when intended for security research and authorized testing. The illegality begins with unauthorized use. Plugging a Rubber Ducky into systems you do not own or lack explicit authorization to test violates computer fraud laws regardless of intent.
What distinguishes a Rubber Ducky from BadUSB?
“Rubber Ducky” refers specifically to the Hak5 product line. “BadUSB” describes the general class of vulnerabilities where USB devices masquerade as different device types. All Rubber Duckies exploit BadUSB vulnerabilities, but BadUSB attacks can originate from any reprogrammed USB device including modified flash drives, smartphones, and even weaponized cables like the O.MG platform.
Can I build a Rubber Ducky alternative for free?
Not entirely free, but extremely cheap. Microcontrollers like the Digispark ATtiny85 ($3-5) or Arduino Pro Micro ($5-8) can be programmed for HID attacks using the Arduino IDE. These budget alternatives handle most standard injection tasks but lack the advanced scripting, storage, and reliability of purpose-built devices.
How fast can a Rubber Ducky type?
Professional devices inject keystrokes at rates exceeding 1,000 words per minute, roughly 15 times faster than a professional typist. This speed allows complex payloads to execute in seconds. However, actual attack speed depends on target system responsiveness and appropriate delay configuration between commands.
What is Keystroke Reflection in DuckyScript 3.0?
Keystroke Reflection automatically detects the target system’s keyboard layout and adjusts scan codes accordingly. This feature solves the keyboard layout problem where payloads written for US QWERTY keyboards fail on international layouts like French AZERTY or German QWERTZ.
Sources & Further Reading
- MITRE ATT&CK T1200 – Hardware Additions
- Hak5 Documentation – Official DuckyScript 3.0 Language Reference
- NIST SP 800-53 – Security and Privacy Controls (Access Control and Physical Security)
- CISA Security Tips ST08-001 – Using Caution with USB Drives
- Honeywell 2024 USB Threat Report – Industrial Cybersecurity Analysis
- USBGuard Project – Linux USB Device Authorization Framework
- Red Hat Security Guide – Protecting Systems Against Intrusive USB Devices
