The leading space triggers some questionable pointer arithmetic, and as a result, opkg believes the SHA256 hash is simply blank. It’s a valid approach, but there was a bug, discovered by, in how opkg reads the hash values from the package list. When an individual package is installed, the SHA256 hash of the downloaded package can be compared with the hash provided in the list of packages. Instead, opkg first downloads a pair of files: A list of packages, which contains a SHA256 of each package, and then a second file containing an Ed25519 signature. As a result, the package manager can’t rely on HTTPS for secure downloads.
In this case, we’re interested in the lack of SSL: a 4 MB install just can’t include SSL support. A Linux install that fits in just 4 MB of flash memory is a minor miracle in itself, and many compromises had to be made. OpenWrt’s target hardware, routers, make for an interesting security challenge. *** This is a Security Bloggers Network syndicated blog from Schneier on Security authored by Bruce Schneier.OpenWrt announced a problem in opkg, their super-lightweight package manager.
With this method, an attacker could plug it in for a few seconds, tell someone, “Sorry, I guess that USB drive is broken,” and take it back with all their passwords saved. Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect. That means, for example, the new Ducky can run a test to see if it’s plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this… then that). It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. The newest Rubber Ducky aims to overcome these limitations.
But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms. The USB Rubber Ducky is getting better and better.Īlready, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user’s login credentials or causing Chrome to send all saved passwords to an attacker’s webserver.