Malicious USB with Raspberry Pi Pico: How to Make a Rubber Ducky & Protect Against Them.
What is Raspberry Pi Pico?
Raspberry Pi Pico is a microcontroller board developed by the Raspberry Pi Foundation, released in January 2021. It is based on the RP2040 microcontroller chip designed by Raspberry Pi, which features a dual-core Arm Cortex-M0+ processor, 264KB of RAM, and a wide range of input/output (I/O) pins. Pico is an affordable, when i say affordable — i mean really affordable, like literally 4$ and versatile board that can be used for a variety of projects, including robotics, automation, and Internet of Things (IoT) devices.
In addition to its technical capabilities, Pico is also easy to use and accessible to a wide range of developers. It supports popular programming languages like Python and C++, and can be programmed using a variety of development environments, including the Raspberry Pi Pico C/C++ SDK and MicroPython.
In this article, we’ll explore how you can use Raspberry Pi Pico to create a Rubber Ducky Bad USB — a small USB device that can be used for cyberattacks. We’ll provide a step-by-step tutorial for building the device, as well as examples of how Rubber Ducky Bad USBs have been used in real-world cyberattacks. Finally, we’ll provide tips for protecting yourself against these types of attacks.
So you going to ask me how the hell can you use this sweet thing for cyberattacks?
Rubber Ducky Bad USB is a small USB device that can be programmed to execute keystroke commands on a victim’s computer, without the victim’s knowledge. This type of device is often used for malicious purposes, such as stealing sensitive data, installing malware, or taking control of a computer. IT STARTING TO BE CRAZY NOW RIGHT?!
The way a Rubber Ducky Bad USB works is by emulating a USB keyboard, which allows it to send keystrokes to a computer just like a regular keyboard would. However, because it is programmable, it can be set up to execute a sequence of commands that can be used to perform a variety of malicious actions.
One of the most common uses for a Rubber Ducky Bad USB is to steal login credentials or other sensitive data. For example, an attacker might program the device to open a web browser, navigate to a login page, and enter a victim’s username and password. This information could then be sent back to the attacker, allowing them to access the victim’s account.
Another potential use for a Rubber Ducky Bad USB is to install malware or other malicious software on a victim’s computer. By programming the device to execute a series of commands that download and install the malware, an attacker can take control of the victim’s computer and use it for a variety of purposes, such as stealing data or launching additional attacks.
I guess you cant wait right? So let us start.
Sure! Here’s a possible tutorial for creating a Rubber Ducky Bad USB using Raspberry Pi Pico:
We begin: Building a Rubber Ducky Bad USB with Raspberry Pi Pico
My little nasty cybersec. fans! Are you ready to create your very own Rubber Ducky Bad USB using Raspberry Pi Pico? Great, let’s glow!
Step 1: Clone the repo
First things first, let’s clone the repo to get a local copy of the files. Open up your terminal and type in the following command:
git clone https://github.com/dbisu/pico-ducky.gitStep 2: Download CircuitPython
Next up, we need to download CircuitPython for the Raspberry Pi Pico. You can download the latest version of CircuitPython from the official website. Make sure to download the version that’s compatible with your Pico model.
You going to aks me where?
https://circuitpython.org/board/raspberry_pi_pico/
and for W:
https://circuitpython.org/board/raspberry_pi_pico_w/
Step 3: Plug in your Pico
Now it’s time to plug in your Raspberry Pi Pico. Make sure to hold down the boot button while you plug it in. This will put the Pico into bootloader mode, allowing you to flash it with CircuitPython.
Step 4: Flash CircuitPython onto your Pico
Once you’ve downloaded CircuitPython and plugged in your Pico, you can flash it onto the device. Simply copy the downloaded .uf2 file to the root of the Pico (which should now appear as a removable media device named RPI-RP2). The device will reboot and after a second or so, it will reconnect as CIRCUITPY.
Step 5: Download the CircuitPython Bundle
Next, we need to download the CircuitPython Bundle. You can download the latest version of the bundle from the official Adafruit website.
Just download the latest ZIP!
Step 6: Copy the necessary files
Now that you’ve downloaded the bundle, it’s time to copy the necessary files to your Pico. Navigate to the “lib” folder in the bundle and copy the “adafruit_hid” folder to the “lib” folder on your Pico. Then copy “adafruit_debouncer.mpy” and “adafruit_ticks.mpy” to the “lib” folder on your Pico. Lastly, copy “asyncio” and “adafruit_wsgi” to the “lib” folder on your Pico.
Step 7: Copy the code files
- Navigate to
libin the recently extracted folder and copyadafruit_hidto thelibfolder on your Raspberry Pi Pico. - Copy
adafruit_debouncer.mpyandadafruit_ticks.mpyto thelibfolder on your Raspberry Pi Pico. - Copy
asyncioto thelibfolder on your Pico. - Copy
adafruit_wsgito thelibfolder on your Pico. - Copy
boot.pyfrom your clone to the root of your Pico. - Copy
duckyinpython.py,code.py,webapp.py,wsgiserver.pyto the root folder of the Pico. - For Pico W Only Create the file
secrets.pyin the root of the Pico W. This contains the AP name and password to be created by the Pico W.secrets = { 'ssid' : "BadAPName", 'password' : "badpassword" }
That’s it!
Find a Script here and copy it to the root folder of you py, but be ready it gonna instant fire if you not unplug instatly or have boot mode on.
Here for payloads:
https://github.com/hak5/usbrubberducky-payloads
You now have your very own Rubber Ducky Bad USB, ready to execute keystroke commands on any victim’s computer. Just plug it in, sit back, and watch the magic happen.
But remember, with great power comes great responsibility. Use this tool wisely and ethically, and always be mindful of the potential risks and consequences. Happy hacking, cybersec fans!
So now how you can prevent this sort of attacks?
Preventing Bad USB attacks can be challenging since humans are often the weakest link in the system when it comes to cybersecurity. Hackers and cybercriminals know this and use social engineering tactics to trick people into plugging in malicious USB drives. This is why it’s important to educate yourself and your team on the risks of Bad USBs and to follow best practices to protect your systems.
Here are some rules to follow to prevent Bad USB attacks:
- Train your team — Make sure that everyone on your team understands the risks of Bad USBs and how to detect and prevent them. Provide regular training and reminders to keep everyone informed.
- Use access controls — Limit access to your systems and sensitive data. This can help prevent unauthorized users from plugging in a Bad USB and stealing your data.
- Use strong passwords — Use strong, unique passwords for all of your accounts and devices. This can help prevent attackers from accessing your systems even if they manage to infect them with malware.
- Use endpoint security software — Use endpoint security software that includes features such as intrusion detection and prevention, antivirus, and firewalls. This can help detect and prevent Bad USB attacks.
- Be cautious of social engineering tactics — Be wary of unsolicited USB drives, and never plug in a USB drive from an unknown source. Attackers often use social engineering tactics to trick people into plugging in malicious USB drives.
By following these rules, you can help prevent Bad USB attacks and keep your systems and data secure. Remember, cybersecurity is a team effort, and everyone has a role to play in keeping our digital lives safe.
Till the next time!
