How to detect a USB Rubber Ducky?

In a similar vein to what your mother may have told you as a young child about accepting packages from strangers, when you find a strange USB drive in a warehouse filled with Chinese screwdrivers, or whatever it happens to be, do not plug it in to a computer that is part of your company's network. Ever.

That is really the best way of "protecting Windows systems from USB devices like this". Having said that, as James said in the comments, the first and obvious methods of attack would be blocked by turning off the removable drive auto-run feature, but if someone really want to harm a computer, I am sure a talented hacker could do so without the auto-run enabled.

Next time you have a weird USB stick fall from the sky like that and you want to see what it is, you connect it to a computer that is not part of any network, has no internet connection and no critical data.

Now, chances are there is an irate docker somewhere on the shores of China lamenting the loss of his wireless keyboard, nothing nefarious was in the drive and absolutely nothing is wrong with your computer. As a general rule though, you don't connect strange devices to networks.

UPDATE

I don't think there is a way of actually detecting a rubber ducky. The good news is that the best known one does not look like the picture you posted. On the other hand, what the hypothetical USB fowl does depends entirely on its payload and cannot be predicted. There will, therefore, not be a rock solid way of checking since you cannot know beforehand what it attempted to do.


If your drive really identifies as a keyboard, the safest way to determine which keystrokes it sends, is probably a hardware USB keyboard logger. You can get those all over the internet, just google "usb keyboard logger".

Of course, this does not prevent the unidentified device from actually sending keystrokes to the system you are plugging it into, so you should not do this on a production system.

Since you probably don't want to disable support for USB HID and keyboard devices, I don't think there is anything you can do to prevent such attacks, other than not plugging untrusted devices into your machine.

EDIT: Since I am unable to comment on the other answers: Disabling auto run only prevents the automatic execution of files on the connected USB drive. However, if this device identifies as a keyboard, it will likely send keystrokes and not offer you files. Disabling auto run does not protect you against keystrokes.

Tags:

Usb

Hid