The USB rubber ducky: The End of an era for smartphone-based Multi Factor Authentication

Change is the only constant. Even humans cannot escape when it comes to evolution. Authentication is no exception to this either. Since the birth of the internet, we have witnessed the continuous evolution of authentication. What started as a mere username and password-based mechanism to verify users, has now transformed into a sophisticated system involving multiple stages of identity verification (or factors of authentication as we call them) sometimes also involving multiple devices.

With the sudden explosion of smartphone usage, multiple factors of authentication such as SMS based one-time passwords (OTP), time-based one-time passwords (TOTP), etc. have been introduced to make authentication convenient for users. As technology advanced, the smartphones also started incorporating biometrics, which then were also used along with knowledge-based authentication such as PINs, Passwords, etc. to add another layer of security to the smartphone based 2-factor authentication.

But , nothing escapes evolution and As authentication methods kept evolving, the hackers, on the other hand, were also evolving methods to break into the security of smartphone based multi-factor authentication systems. “Rubber ducking”, a common debugging term, is One such method that cyber criminals developed to attack smartphone-based MFA. It uses an innocent USB stick that poses as a keyboard to hack into systems.

The USB rubber ducky method, also called BadUSB, exploits an inherent vulnerability in the USB Firmware, by impersonating a human interface device. . Here is the step-by-step walkthrough of how the USB rubber ducky method works:


M.Soc Engg. (Masters in Social Engineering)

If social engineering was a real engineering discipline, it would be the most demanded one with the jobs being the highest paid for. By tricking the smartphone owner into using an alternate charging cable for their phones, hackers get inside the phone. Wait… What??? Yes! You read that right. A charging cable is all it takes the hackers to get into your phone!They might offer you a charging cable for free or offer a new smartphone altogether for free which they will ship with this charging cable.


Add some code to taste

The charging cable contains a small circuit that impersonates an external USB keyboard to your laptop or an interface to your phone and injects malicious code into the device. This code can then perform a variety of tasks such as reading your messages, call logs, reading your keystrokes as you type and what not.



Now that they can read your OTPs, in a matter of just a few minutes the hacker cracks the username and password to your account and they have complete access to your account as well. And in the worst case scenario the money from your bank account will vanish in no time too!

Aha! But I’m too smart to use someone else’s cables!

Valid point! In that case, hackers won’t be able to run their malicious code on your phone. But there is little that hackers can’t do. In this case, they would steal your phone and unlock it with the USB rubber ducky followed by running a password spraying script. And before you call up your operator and block your SIM, the authentication factors are already in their possession and the damage is already done.

What does this mean for smartphone-based MFAs?

A long barefoot hike in a sunny desert! With devices like the OMG cable or BadUSB / USB rubber ducky, it is certainly evident that the smartphone-based MFA is no more secure.

So what can I do?

Shifting to an authentication device that is

  1. non programmable and

  2. connects to a network on demand while also

  3. enabling biometric security

seems to be the only way to overcome this serious and often exploited flaw in the USB protocol .

38 views0 comments