Rubber Duck Danger
The USB port provides an external means of entry to the computer system. Without a system of controls in place confidential documents can be copied to a device and removed from networked premises. Another risk is that inserting a drive can cause harm to the connected device. Malicious files can be transferred to the host machine when the drive is inserted and its contents scanned. Such an incident could be accidental although the concept of deliberate USB drop attacks was shown to work in 2016.
It is relatively straightforward to lock down USB ports so that they cannot be used. In most desktop systems there are USB ports at the front of the machine and others at the back as part of the motherboard assembly. The front ports are connected by removable wires to the motherboard. These can be unplugged and if the back of the case is locked into a suitable cradle; adding or removing devices to or from any ports will be physically impossible. It may also be possible to disable USB ports on the motherboard BIOS. Access to the BIOS will need to also be password protected but that precaution should already be in place. It is also possible to disable the USB storage function within the operating system. In Windows this can be achieved through the Registry or by changing group policy settings. These software settings will prevent use of a USB storage device but not other USB devices such as a mouse or a keyboard.
The rubber ducky is a hardware device that is built to look like a USB storage pen drive. In reality a rubber ducky consists of a keyboard adaptor connected to a micro SD card. When plugged into a computer it is recognised as a keyboard. The SD card contains enough software to run a script which injects a rapid sequence of keyboard characters. These could be the instructions to open a program such as the cmd window or a shell and then pass command line instructions to cause further harm. The devices are relatively easy to create from common parts or can be bought intact with simple commands already loaded. The humble USB stick makes a good disguise although the system could be made up to look like some other USB connector or dongle as appropriate to give the appearance of being harmless. The operating system uses the device descriptor written into an inserted device to determine what to do with it. Rubber ducky attacks rely on including the device identification for a keyboard, not a mass storage device.
The hardware options described above to physically block off ports are the only way to absolutely ensure that USB ports are secure. The potential damage caused by the rubber ducky can however be minimised. Many scripts depend on admin access to do serious damage to the host system. If users do not log in with admin privileges then many of the injected scripts will fail. At some point in the execution of the script the admin or root password will be required and it is unlikely that the hacker knows that. Any defence should assume that a hacker does know the admin password or that some script workaround will launch an application that can harm the system in some way without requiring the admin password. Devices can be blocked by whitelisting or blacklisting their vendor and product IDs. As any identification within the rubber ducky will be fake even a whitelist of known corporate devices cannot be relied upon.
Software options to combat rubber ducky attacks are beginning to appear. Like many hacking avenues there is a race between exploitation and defence systems. One option is to detect when a new keyboard is detected and either lock the device or interfere with the stream of characters that it injects. Due to the high speed of the characters input there remains the possibility that some damage will have been done before any system recognises and blocks it.
The core issue that businesses face is not how to technically prevent use of USB storage devices but why employees feel the need to use them. If there is no need for such devices then there will be no danger from them. Any attempt to introduce such a device will be seen as a deliberate threat.
How long has it last been since someone needed to access a floppy disk in the normal course of business? As the use of floppy disks decreased so did the provision of 3 ½” drive bays. The question is to look into why people might need USB storage devices and to adopt practical alternatives. In some cases it may not be obvious that a USB device is seen by the system as a mass storage device. Mobile phones are often seen as mass storage devices by operating systems because of their ability to store images from the camera. Employees could be using USB ports to charge their phones. The storage element of the phone might be compromised or the outer shell of a phone used as an elaborate rubber ducky host.
Cloud storage and related security protocols should make the right documents available to the right people anywhere. Unfortunately there is always a chance that a connection cannot be made due to a lack of network coverage (secure or otherwise) or a power outage. This would most likely effect employees who need access to company documents away from base; perhaps as part of a sales pitch. Scenarios such as these need to be identified and procedures put in place that do not depend on USB storage. If a laptop is to be used to present information then that can be accessed through the company network and a copy stored locally. It is much easier to secure a laptop and the data on it should the device be lost or stolen than to secure a USB storage device. There should always be some last resort plan if there is no power and all battery power is lost. The audience should acknowledge such a situation and cut the presenter some slack.
As is often the case with network security user education and responsible working practice will be the first line of defence against rubber ducks or any other threat.