Cybertip: manipulated USB flash drives are a gateway for cyberattacks

12.01.2023 - USB flash drives have long been part of everyday computer life and are used to store data or transfer it from one computer to another. However, many people do not realise that manipulated USB flash drives can also be used to hack into computers.

At first glance, such a USB flash drive looks normal and inconspicuous. However, if you plug it into a computer, it emulates a keyboard. Predefined keystrokes are then "typed", triggering certain malicious commands on the computer. Such so-called rubber duckies can generate more than 1,000 words per minute. Backdoors can be installed on the attacked system, for example, documents or passwords can be stolen, and extended rights can be granted on the computer.

Rubber duckies – by no means benign little ducks

People first think of children's toys when they hear of rubber duckies. But in the hacking scene, this means something completely different, as such a corrupted USB flash drive is a popular hacking tool.

Rubber ducking comes from the history of programming and describes a simple strategy for debugging code. Programmers sit a small rubber duck near them and explain the code to the duck line by line. Explaining the code to the duck helps them to find any errors. The rubber duck acts as a listener and has the advantage that nobody needs to be disturbed. In the case of rubber duckies, commands are also processed line by line. In order to automate administrative tasks, a tool was developed that imitates the typing of commands on a keyboard. The device generates and executes recurring commands line by line. However, this also sparked the idea of a keystroke injection attack, i.e. introducing keyboard commands using a USB flash drive. This has evolved to become a sophisticated hacking tool.

How do keystroke injection attacks work?

The USB tool emulates a keyboard for the computer and thus has the same user rights as the victim sitting in front of the computer. The keystrokes or commands to be executed are stored on the tool, the rubber ducky, in the scripting language DuckyScript. Once it is plugged into the computer, the USB flash drive is recognised as a keyboard and the pre-programmed keystrokes or commands are executed on the computer.

Beware of USB flash drives that you are given or find

But how do the attackers get victims to insert such a USB flash drive into their computer? Social engineering is used for that. The attackers cleverly exploit traits such as trust, fear, respect for authority or curiosity for this type of attack. Baiting is a sub-variant of social engineering, where the attackers rely on the victims' curiosity. The best-known type of baiting consists of placing USB flash drives in the foyer of a company's premises and speculating that employees will find the drive and immediately plug it into a company device out of curiosity. USB flash drives can also be distributed as promotional gifts. Many versions of such drives are distributed to visitors at conferences or exhibitions. However, not all of them are distributed with good intentions, and may include manipulated rubber duckies. But even an unattended notebook on the train or at a conference, for example, can be compromised by attackers using this method if they manage to plug the drive into the device unnoticed for a short period of time.

New version of the tool is even more sophisticated

In August 2022 a hacking hardware producer released a new version of the tool. Earlier versions were already able to create fake pop-up windows to snatch a user's credentials or trick the browser into sending all stored passwords to an attacker's web server. With the latest version, stolen data can also be saved on the USB device. As a result, an attacker can insert the drive for a few seconds and then remove it again with all the stored data, which also means that an internet connection is no longer needed to send the data.


  • Never plug unfamiliar USB devices into a computer.
  • Never leave your computer unattended in public places.

Last modification 12.01.2023

Top of page