7:25 It's because the system can set (from inside) the CAPS lock and NUM lock state of keyboards. The keyboard is aware of change. So if the Ducky can be a keyboard, it also can be aware of such changes. If the script uses these state changes to transmit a message, the keyboard (here the Ducky) can read them and store the data into a file. It's genius.

For additional info, Rubber Duckies are INSANELY easy to access and learn. I built my own out of an Arduino - it’s pretty much identical in functionality to a Rubber Ducky 1.0 and it cost me maybe 6 Canadian Dollars. Granted, I use it to automate basic batch scripts to quickly troubleshoot Windows PCs for myself and some friends but anyone willing enough could definitely do some damage with it if they were so inclined.

I did a project on this in college in 2014 and nearly got a failing grade because my prof said it was unrealistic. I've seem so many things that work like rubber duckies since and it's just grinds my gears every time! These things are neat but dang can they do some harm.

We need to properly thank I-Am-Jakoby for their various contributions to the Rubber Ducky community! Their work made a lot of this possible. Check out their github for some really useful Rubber Ducky resources: github.com/I-Am-Jakoby

For testing: use vm snapshots to return to a previous state. To get the rubber ducky to work in a vm, pass trough a usb hub or pci card directly to the vm. (not the ducky device itself, that's going to cause issues)

I remember learning about these many years ago in some certification classes I took when I was 14 & 16. A lot of server places will actually have their USB ports flat out disabled to prevent physical malware attacks and cables locked away behind metal from where they can be physically tampered with the prevent wire tapping even if they are already in locked facilities.

Finally a video on these, they've been a thing for ages! Never plug in a random flash drive you've found or been given a lot of the times.

These things have been available for over a decade, I’m surprised Linus has only just made a video on this cool device.

As an IT guy you could test your clients IT Security Awareness with these and load a script onto them, that automatically books the person into the next Security Seminar, so they can learn what to do the next time they find a random USB Stick

Hak5: it was made to automate mundane office tasks Also Hak5: "Attack mode"

I still use my original rubber ducky to automate all kinds of things and to demo why you don't plug in random flash drives. Such an amazing piece of kit and the rubber ducky 2.0 is even more amazing!

Hak5 brings back so many memories. I'm glad the LTT labs people found a use for their duckies, but I'm not sure I learned all that much.

Security analyst here, I've only seen one on a network once, they're pretty interesting! I hope you guys cover more cybersecurity topics

6:00 4 months later and this has suddenly become a real story XD

I would love for LTT to do more videos on Cyber Security

I always laughed at people for "acting like just plugging in a single USB stick could cause THAT much harm". I guess, I was the fool.

Before USB there were versions of this for PS/2. They were largely used for some of the same legitimate tasks, usually some form of automation, or, in some cases they could act as a converter between RS-232 and PS/2 for some serial devices. The tricky part of these USB HID "attacks" is that unlike the old route of a malicious autorun, you can't avoid it by holding shift, and of course once it's plugged in, it gets activated and can start "typing". Some AV software has started adding "keyboard authorization" features to try to combat these types of devices. One interesting approach of dealing with a suspicious "drive" is to plug it in while in a VM (with shortcuts to 'escape' the VM disabled) . Even though it will connect to the host machine, if it is device like this, then keystrokes it tries to send will go to the VM. Heck a MS-DOS VM running a tiny DOS program that just logs key scancodes to a text file could even provide insight on what exactly it is trying to do.

Glad that your highlighting security tools, tricks, and remediation. Keep doing videos like this. As a security professional I think tech KZbinrs can play an important role in educating users

Wow this is scary. I am sure someone could modify a keyboard using a hub and a build in rubber ducky to make it look even less harmfull. If someone receives a USB keyboard by mail, if it looks better than their current keyboard, I am sure many wouldn't hesitate to plug it in their computer to try it.

Would absolutely LOVE an LTT deep dive on Hak5 tools

This better be the start of a Hak5xLTT collaboration! Fly Darren and Shannon up to The Lab and let's get a few videos out of this!!

Just now do I realize that I actually want one of these, being able to plug in a drive and have it automate a couple commands looks useful as hell

6:11 4 months later that has never been more ironic, LMAO

Colton crying after opening the company to a cyber threat is very foreshadowing xD

This sounds like a dream come true for every of Linus's viewers who have grandparents.

You know wireless BadUSBs exist, they're open source too : ) search for them on KZbin

I was wondering if LTT would do more security-related videos like the Rubber Ducky. I was pretty excited for this.

Those are old news, but its good that someone from the mainstream is actually covering this attack venue, and yet another lesson on why not to plug random USB accessories willy nilly

I've been watching Hak5 since 2006, LTT since about 2015..... I was SUPER excited to see this video pop up. I really really hope there's more! Commenting for the algorithm to show this is a great video!

10:35 Thanks Linus. Now I know what a rubber ducky looks like. I can safely plug in that USB I found this morning on the sidewalk - it doesn't have that folding silver shield on it, so can't be a rubber ducky.

At a University near where I live they scattered 50 of these around with a simple script to ping a specific IP so that they could record how many People plugged it in. They recorded 80 different IP Adresses.

Ah yes, the old USB port as an attack vector. Funny you should mention DSM, because one of their SysOps gave a talk at a local small time Defcon type of convention and he mentioned the use of hot melt glue to stop USB port based attacks. Still I always figured that given what we did as kids in high school during the 90s these kinds of attacks would be obvious by now. All of the computers in HS ran NT4, so their drives were NTFS. Except for the computers in the computer lab, because due to curriculum requirements those were W95 machines. Now IT had considered that diskettes would be an attack vector, so they passworded the BIOS and made the A and B drives non-bootable. Except they messed up. All the BIOSes had the same password. Windows 95 is basically a glorified DOS shell, so any user would have low-level access to the hardware. So use W95 to make a dump of the BIOS, take it home, grep the password from the dump. Prep a muLinux diskette with the NTFS read kernel driver, use BIOS password on NT4 box to enable booting from diskette. Boot up muLinux, grab the SAM files, take em home and run L0pht at your leisure. It left no trace on the school computers and meanwhile we had Domain Admin level access.

This could be very useful for destroying scam call centers, because you know how much of a plague those scammers are! Create a script that completely wipes the servers and BOOM! No more call centers!

5:56 the irony here is palpable - this scene didn't age very well for LMG.

as a cyber security professional i would love to see LMG pick up more cyber content. LinusSecTips????

The main infosec advice I give to people is simple "Unless you know what it is, don't put it in". Works decently for other bad decisions you make sometimes too.

LTT needs to do a video on installing windows and user V admin accounts and how to set them up to be secure, topics like login options for users and how they matter.

That recreation of the Mr.Robot's scene with the usb thumb drive taken and plugged in by the cop was funny AF with Colton being the victim 😂

I've been using a ducky for 5 years to automate changing settings in windows and install software for machines we sell to customers to ensure that they are ready to use out of the box.

Can you build a 5 minute version of this? I would love to share this with my non-technical staff, just so they can know the danger. Heck, that would be a fantastic new channel--security issues for non security people.

I always wondered if they were going to ever release a newer version of the Duckie, I've had mine for years and it is a super useful tool, especially if you work in I.T. and have to do mundane task, I use mine to install software we use at work after a reimage

6:00 This did not age well post session cookie hack.

I hope the dide taking the usb stick to IT security got a bonus. Hardly anyone does that. Even many IT people would just carelessly plug it in. And that's why social engineering is even a thing. If technical security measurements get better and better, the only weakness that's basically impossible to reliably patch is the user. Humans will always make mistakes. That's why it's more important than ever before to make people aware of those threats and educate them. I think that devices like this should be legal. The main reasons are 1. Someone will do it anyway, no matter if it's legal or not 2. If it's done anyway it's better to make it public to show that devices like that exist and what they can do

Colton running malicious software did not age well in hindsight did it? :P

So cool to see Linus tackling some cybersecurity now. Everyone could use some extra awareness.

I'm surprised he hasn't reviewed one of these sooner. I've used these for years, amazing tools, but also pretty deadly if you wanted to use it as such

Love seeing this, I would love more security integration from LTT in videos ❤

That Jacket is Wild. Straight outta the 90s. Love it.

Hey linus i doubt this will ever been seen but ive got an idea for a video for you, i recently bought a gaming laptop with an i7 and 3060 and it gave me the inspiration for the idea. The challenge is get every big computer youtuber you can think to chip in a single completely random spec component of a custom gaming pc (good or bad) preferably intel and give it away to a random fan ones the build is complete

You really emphasized "Being safe" at the end there🤣

These are VERY useful tools, different versions too!

Great video! Thanks for educating about this kind of attack 😃 Been working on a couple of Open-Source BadUSB projects myself recently.

I bought one of these to automate iPad and Mac deployments when we aren’t using DEP. Saves SO MUCH TIME, it just needs to be updated occasionally

The Writer, Tanner McCoolman, was excellent for this video. As someone that was trained in CySec and learned how to use a USB Rubber Ducky, it was very well explained on how this attack vector works!

I remember in the late 80s/early 90s we had to write software on public computers and the only way to save our code was with floppies. We were constantly running into issues where our own floppies that we bought and formatted on our machines, got infected.

It would be interesting if LTT did an interview with Darren Kitchen or Shannon Morse on their products.

10:40 Remember kids safety first

Very excited and happy to see Linus mentioning Darren Kitchen, two of my first and most favourite youtubers. There are a ton of other hardware based hacking devices from Hak5, we would really like to see those to be featured in LTT as well.

0:29 i love how that website is considered cyber crime

Using this as a means to automate bench setup is pretty ingenious. Been subbed to the Hack5 channel for a while and totally love what they did there! It's a research tool in one hand, or a weapon in another. Great video!

Coltons Reaction was F***ing priceless even if it was staged XD 🤣

Damn, there’s even a USB-C version. Nobody is safe.

small nitpick by a cs academic (student): documentation is NOT for novices. It is good practice, and every trustworthy community/library/repo should be well documented

I made one of these with a cheap raspberry pi Pico and it works amazingly, and it is extremely easy to use, they are really help full when trying to code or set up something on multiple computers because it automates it.

Props to the Hak5 team. Great group of people

Great video! Though you should have shown the Ducky as several different looking USB sticks. A novice might only watch out for a stick that looks like the one you are showing. And it seems to me like you are trying to communicate to novices too. Otherwise I have nothing to complain about and found the video very well written and informative.

Fun facts: The clip in the beginning ( 0:09 - 0:18 ) was a TV-Ad that was actually shown in the early 2000s in germany. The conclusion „So wach warst du noch nie“ at the end means something like „You have never been more awake than now“ and advertised a coffee drink with high caffeine content. There were many complaints due to horrified children and dropouts of pacemakers because of this ads.

Most people have absolutely no idea how scary these things are lol. I ordered one a few years ago to play around with. I don't use it much but I still carry it around with me in my laptop bag. The first day I had it I managed to build a payload that when plugged in within a few seconds would grab every single one of my saved Google chrome passwords and email it to myself. My jaw hit the floor when that email came in with my entire password list in it lol. From that point forward I pretty much NEVER walk away from my laptop at work without locking it. It's insane how much damage someone can do with one of these and a little know-how and 5 seconds of access to a USB slot on your device.

Mr. Robot is such a great show. One of the few series that stuck the landing. With a name like Mr. Robot, the show is not at all what you think it is.

I almost bought one of these a long time ago. Then I realized you can do the exact same thing with a $5 arduino board. The script language is a little more complex but gives you wayyyyy more features, plus you can add other devices to the arduino like wifi, bluetooth, even capacitors to make your own badUSB. You can go even further and buy "fake" arduinos for even cheaper ($2 in bulk) that do the same thing, 3D print a bunch of harmless looking USB shells and then drop them around the city. Not that i've ever done that.....

Hak5's stuff is great. They have some amazing tools.

This is probably the best advertisement they could have asked for. I'd bet tens of thousands of people bought it after watching your great promotion.

Been watching since the earliest of the NCIX days. Great video to let people know about the dangers of things like this. Can't describe how happy I am to see the LTT intro and song making their way back into all the videos. don't know why, just am!

Just realized my passion and finally started pursuing a comp sci degree this semester. And I'm quite proud of myself because I actually understood every single issue you guys listed with the ducky. I love this field haha

Interesting use for automating your PC setup. Have you also tried UiPath process automation?! It can perform way more complicated stuff and it seems easier to setup that this rubber ducky stuff. Nice shoutout to the Konami cheat code, I'm a game dev :D

You can configure any Arduino to act as a HID device, I had this idea some time ago but ofc there's a consumer product for this already 😃

The argument at the end for why duckies should be allowed is kinda funny coming from someone like Linus. A tool in the hands of someone determined to do bad things doesn't negate the right of those trying to do good with the same tool. It's almost as if no matter what, bad guys will always find a way to do bad things regardless of the laws.

This should be a corporate security awareness video, if you trimmed it to arround 5 min and sold use rights to the a company like knowb4 or proofpoint it would reach lots of uninformed would be targets who wouldn't normally see an LTT video. Thanks for your work

If you don't need the built in storage, I'd recommend a Digispark USB. It just uses Arduino code, and there's programs that translate RD scripts to run on them. Plus they're like 20$ for a 5 pack. I've been using them for automated thin client setup.

10:27 Good good, now do guns.

Wait, but how do we protect ourselves apart from not plugging in usb drives?

1. Need a full prank video using these 2. Do more Hak5 stuff.

This usb stick saved my ass on my first job of manually setting up computers in every classroom, i could plug 2-3 pc at the same time, log in and perform the routine task before lunch break in a single day

I would love to see you do some in-depth vids on the rest of the Hak5 line. I've actually taken to using my old Mark V Pineapple as my IOT access system in my DMZ which let's me rain hell down on bot-net sweeps and the occasional budding hacker that war-drives by for crits and giggles lol.

These things have SUCH a reputation for abuse, I actually didn't know what the original intended function was.

I'm very surprised the ducky doesn't just use an existing language

Well now i know what to get my friend for his birthday next month. This is gonna be fun.

Thank you for covering this! I know this is the newest release which is awesome!

This is actually why a lot of businesses will prevent you from plugging in any keyboard except the "certified" ones. I think Active Directory even has a feature for that

PLEASE do the OMG Cable and the Flipper Zero!!!

Please more anthony and less everyone else??

You should check out Hak5's "OMG Cable" - it's a spoof Lightning cable that actually has malicious capabilities too.

My university end of bachelor program was making a program to detect unknown peripherals and checking if they were trying to do a payload. We used a rubber ducky for showcase. :D Brings back the memories.

Unlike other crime, this is the one that you can stop yourself falling for. NEVER plug in a USB that isn't yours

One time back in middle school my cousin found a flash drive on the school bus. This was well before I even knew what "computer security" meant. We plugged it into a PC to see what was on it. Luckily it didn't do anything. It was just FULL of prawn. Lots and lots of really hardcore prawn. We erased the drive and I gave it back to him and we never mentioned it to anyone.

Generally don't stick random USB devices into your PC, USB killers are a thing and as the name imply they can kill your PC.

OMG, Hak5! One of the OG video content creators out there. They're like older or the same age as KZbin. Used to watch them in Revision3 back in the day.

I worked for DSM at a local industrial site before our buy out and when I tell you that our classes RAMPED up and they locked our machines. We weren’t allowed to use anything in the machines unless it was provided by our it team.

Be right back, pre-ordering my RubberDucky… I mean… uhh for the purpose of setting up my printer… of course 😬

Never, EVER plug any flashdrive you find on the ground ever. Who knows what might be on it. Or what device it might emulate