Get a FREE Report of the Software Running in Your Environment - Including Risks & Countries of Origin
Back to Blogs Back to Press Releases
Blog header image of pirate-themed USB sticks

Beware the Rubber Duckies

Table of Contents


USB ports and cables are everywhere. We use these ports to connect peripheral devices, such as keyboards, mice, and cameras, to our computers. They are used to connect our computers, tablets, and smartphones to chargers. USB cables are so common that many wall outlets now have USB ports preinstalled in addition to traditional receptacles. Most people don’t give a second thought to plugging a thumb drive into their computer, but they should. Stuxnet, a famous computer worm that infected Iran’s nuclear program in 2010, was introduced via a USB device, otherwise known as a rubber ducky.

What Is a Rubber Ducky?

A rubber ducky is a USB device with a tiny computer chip hidden inside. This computer chip can be programmed with keystrokes, called a ducky script. Then, when a user plugs the USB drive into a computer, the computer thinks the rubber ducky is a keyboard, and the commands are automatically input without the user's knowledge. These commands can steal passwords, download malware, create backdoors to give hackers continued access to your computer, and steal or encrypt your files. Rubber duckies are hacking tools commonly disguised as flash drives but can also masquerade as USB cables and ports (e.g., public charging ports). They appear identical to their innocuous counterparts, hiding in plain sight. Once plugged in, they don't require user interaction, don’t ask for permission, and don’t generally trigger an antivirus or EDR response.

Can You Prevent a Rubber Ducky Attack?

While no cyberattack can be 100% prevented, short of turning off all computers and never turning them on again, there are many steps you can take to help reduce the likelihood of a successful rubber ducky attack. Train users to turn any USB drives they find lying around into your IT department instead of plugging them in. Encourage users to avoid using public USB charging ports. Educate users to only use USB cables from known safe vendors. And, because we all know that users are human, and humans make mistakes, incorporate technical controls and company-wide policies to help enforce this behavior. Disable all unnecessary USB ports in BIOS. For organizations that require USB use, standardize the permitted USB devices, and set a policy that all USBs should be obtained from the business. Keep an up-to-date inventory of the USBs in use, including their users and why. Set a policy that the business must provide all cables plugged into company equipment. Ensure that users who violate these policies are re-educated and disciplined as necessary.

How can ThreatLocker Help?

The ThreatLocker Endpoint Protection Platform can assist you with technical controls to mitigate rubber ducky attacks. ThreatLocker Allowlisting operates on a default deny philosophy, meaning that any scripts, codes, or libraries not included on your allowlist will be unable to run, regardless of which user or device attempts to execute it. ThreatLocker Storage Control enables you to block all USB storage devices and then permit USBs by serial number so that you have final approval before any user can use any new USB storage device. ThreatLocker Storage Control can also enable you to control what files the USB port can access and by which users, and whether they can read or write said files. ThreatLocker Ringfencing™ can block the powerful Windows tools (e.g., PowerShell) used in these attacks from accessing the internet if they don't need it.


Rubber duckies are not just adorable little bath-time toys. In the world of cybersecurity, they are USB devices that contain hidden computer chips embedded with keystrokes programmed to inflict damage. They are one method hackers use to try and penetrate your network defenses and introduce malware or exfiltrate data. These tiny, hard-to-detect threats can contain the same malicious code that cybercriminals use when attacking your systems via email attachments, macros in Office documents, and malicious URLs. ThreatLocker Allowlisting protects against any unauthorized code from executing, whether injected using a USB device, compromised software, or a phishing email. Ringfencing™ provides an additional layer of protection, enabling you to block the powerful built-in Windows tools from accessing the internet if they don't need it. ThreatLocker Storage Control provides granular control over who, what programs, and what interfaces can access which data storage locations and if they can have read-only or read-and-write access to that data. Combine all three modules, Allowlisting, Ringfencing™, and Storage Control for a multi-layered approach to dramatically reduce the likelihood that your organization will succumb to a successful rubber ducky attack.  

For more information on how ThreatLocker Allowlisting, Ringfencing™, and Storage Control can help strengthen your organization’s cyber defense, schedule a live, one-on-one demonstration today.