USB Killer 2.0: a Harmless-Looking USB Stick That Destroys Computers 229
An anonymous reader writes: Plugging in random USB sticks in your computer has never been more dangerous, as a researcher who goes by the name Dark Purple has demonstrated his new device: USB Killer 2.0. When plugged into a computer, the deadly USB draws power from the device itself. With the help of a voltage converter the device's capacitors are charged to 220V, and it releases a negative electric surge into the USB port. This surge "fries" the USB port and, in the researcher's demonstration, the motherboard — perhaps not always after the first surge, but the malicious USB device repeats the process until no more power can be drawn.
USB usually means you have physic access to the PC (Score:5, Insightful)
Re:USB usually means you have physic access to the (Score:5, Insightful)
Uh, no, it doesn't. You just drop a few of these in the parking lot outside a company, and wait for people to pick them up and stick them in their PC.
Re: (Score:3)
Uh, no, it doesn't. You just drop a few of these in the parking lot outside a company, and wait for people to pick them up and stick them in their PC.
And then fire their asses for being enough of a dumbfuck to use a USB stick they found in a parking lot.
Re:USB usually means you have physic access to the (Score:5, Interesting)
Re:USB usually means you have physic access to the (Score:5, Insightful)
My suggestion was to custom build some pseudo malware, load it on those flash keys, or a set of flash keys, and leave them around campus. Nothing nefarious would happen to the user who did insert it other than an autorun popup informing them that we could have owned them right there if we wanted.
Don't do it on your own. Don't do it with serious back up and written guarantee for support from higher ups. What you are doing is very similar to finding homes with unlatched/unlocked back porches, walking in sitting in the living room sofa and shouting boo when the home owners walk in. No matter how sensible and helpful your advice is, the homeowners are going to be jumpy, irritated, made to look like fools and they will hate you intensely.
Try to do it differently. Create these USB warning devices as you planned, but give them to students, tell them what it does and ask them to "educate" their friends and relatives. Watermark each device so that they don't prank unsuspecting people.
Re: (Score:2)
So in your world accessing an open website with default credentials counts as 'cracking'?
Re: (Score:2)
If you live in the same world as Andrew Auernheimer (for slightly different but very related case), then yes, the jury does seem to think that accessing unsecured data that someone else doesn't want you to counts as 'cracking' and can lead to jail time.
Re: (Score:2)
I wonder how many of these people would also inject themselves with a syringe filled with glowing green goo they happened to find labeled "Super-serum"?
Re: (Score:3)
And, yet, it apparently works [zdnet.com]. As in people have done it before. And, if dropping them in the parking lot doesn't work, stamp a logo on them, put them in a package with official looking marketing glossy, and send them as targeted attacks.
See, the problem is the humans are always the weak links in your chain.
Of course, you can't target what machines might be impacted. But if the general plan is mayhem, that's always easy to achieve.
Re: (Score:2)
Except that even if they follow policy and hand them into cyber security, the cyber guys will want to know if they have company information on them, and their computer gets fried!
Re:USB usually means you have physic access to the (Score:4, Funny)
Someone left a sledgehammer lying in the parking lot. Cool, I thought. So I picked it up, went inside, then smashed my computer. Whoops, I was fooled.
Re: (Score:3)
The stick could download crap from the network and send it out over the Internet first, then fry the computer when it's done to destroy any evidence.
Re: (Score:2)
Re: (Score:3)
Instead, the concern is that someone (like say Uber) will print up 300 USB Killers, perhaps with a label that says something like "best porn", and scatter them around the competition's headquarters (like say Lyft - or vice versa).
Then some curious Vice President or CEO picks them up and puts them in his computer...
Found USB sticks - the poor man's 'super hack'.
Re: (Score:3)
And companies are absolute shit at keeping stuff secret. When it becomes public that company A pulled this stunt, company A will be sued out of existence.
Re:USB usually means you have physic access to the (Score:5, Insightful)
>> someone with physical access can damage your PC
This isn't a local access attack, though. Instead, you label your attacking USB stick with your target company's name and leave it in the parking lot or at a restaurant where you know a lot of your target's employees visit. Some foolish altruist will frequently pick it up and shove it into their computer when they get back to the office. This kind of thing works great for infecting someone's computer with command-and-control malware; if anything this "wreck the computer" attack seems less useful.
Re: (Score:3)
if anything this "wreck the computer" attack seems less useful.
Imagine that you're a CIO tasked with protecting data worth billions of dollars.
Drop a few of these in the parking lot or cafeteria, and write off a few $800 Dells to find and eliminate the employees who cannot be trained to not do stupid things that will severely damage the company.
I'd do it.
Re:USB usually means you have physic access to the (Score:5, Insightful)
if anything this "wreck the computer" attack seems less useful.
Imagine that you're a CIO tasked with protecting data worth billions of dollars.
Drop a few of these in the parking lot or cafeteria, and write off a few $800 Dells to find and eliminate the employees who cannot be trained to not do stupid things that will severely damage the company.
I'd do it.
Ya, watch the person you catch to be the CEO.
Re: (Score:2)
If you go into a CVS or other place that does photo printing, they usually have a couple of computers so you can plug in your camera or flash drive and self-serve, maybe do a few cheesy edits. Kinkos and the like do the same thing for printing from or scanning to flash drives. Those are the sorts of places where you can't really
Re: (Score:2)
Re: (Score:2)
If you have local access to the PC you could just use a sledgehammer.
Yeah, I suppose you could carry a 10 pound sledgehammer around and spend time beating a computer and making plenty of noise doing it. Or, you could carry a USB stick a few grams in your pocket and take a second to fry the electronics while making hardly any noise (depending on what you're frying, of course).
You can also carry a gun and just shoot the computer. Or throw it out a window, or into water. All of those "use cases" for computer destruction are different than the use case for the USB stick.
The fact that someone with physical access can damage your PC shouldn't be a big surprise.
That'
Coming up at 11... (Score:2)
... news on the CD which when hit with an infrared laser causes the embedded explosives to detonate!
Hackaday link with more informations (Score:2)
http://hackaday.com/2015/10/10... [hackaday.com]
Menacing looking usb stick (Score:5, Funny)
http://i.ebayimg.com/00/$(KGrH... [ebayimg.com]
"Harmless-looking USB stick"? (Score:5, Insightful)
If you believe that any unfamiliar USB stick looks "harmless", you clearly haven't been paying attention.
Re: (Score:2)
ya-know - another idea might be to charge the device to a higher voltage - and then have metal edges exposed through the stick. So that the shock is delivered to the User when they attempt to pull it out.
The stick would do nothing to the computer - maybe even be empty or show an error. But zap the user could be the prank.
Kind of a whoopie cushion for computers. Oooh oooh - it could emit blue smoke !!
Yup - I see this being available for April 1 next year.
Access to the machine (Score:2)
Plugging in random USB sticks in your computer has never been more dangerous
I think the point of this hack is to catch people who pick up random sticks and see whats on them, something I would never, ever do. Nothing to do with needing physical access to the machine, the rube who picked the stick up is all the "access" you need. Someone up there has already made the suggestion of using them for corporate sabotage (Uber vs Lyft), scattering these things around the right place could cause all sorts of drama.
:(
Also, that poor thinkpad
Re: (Score:2)
I have a readme.txt on every usb with my name number and email if I lose it, but now if I find a usb I'm just going to ignore and someone might have to lose theirs D:
You could pry the cover off. If you see a flash chip and a controller chip, you're good. If you see anything else, like lots of capacitors, don't use it.
In other news (Score:2)
It has been discovered that repeatedly dropping a 20 pound sledgehammer on your laptop's keyboard is equally harmful.
BREAKING NEWS (Score:3, Insightful)
Be sure to watch our followup segment on what could be in that suspicious red can you found labeled "free gas!" The results are horrifying!
Seems like this has limited usefulness (Score:2)
Re: (Score:3)
Re:Seems like this has limited usefulness (Score:5, Interesting)
TSA: "We're going to have to take a look through all your laptops, memory devices and phones, sir."
Didn't they just have a big computer outage recently?
This should be preventable (Score:2)
There should be extension cables that would have a trip switch for voltages that are that high. Trip switches should really be included in the computing device itself, really. Since when people connect light bulbs or any appliance directly to the main generator without anything inbetween?
Re: (Score:2)
"Since when people connect light bulbs or any appliance directly to the main generator without anything inbetween?"
All the time. Welding is one example. Incandescent lights don't need anything more than the right voltage and some current. If that genhead is pushing ~170V peak to peak then pretty much anything US power-based plugged right in will work.
Re: (Score:2)
A couple of MOV's and a fuse or two will do the trick... If you insist, a "crowbar" circuit that shorts the pins to ground if the voltage exceeds about 10 volts. Easy fix with a handful of components if the board makers wanted to.
I just seriously doubt this idea will catch on. It's too expensive to duplicate the devices, the device is physical evidence which could aid in tracing it to it's source and the result is basically vandalism so it's of little use to the criminals looking for a profit.
Hub (Score:2)
Do USB hubs sufficiently insulate computers from this attack?
Re: (Score:2)
I broke a front USB port recently - my headphones were connected, I tripped on the cable and a jerk twisted the USB port.
Windows 10 reported an error on screen that "There has been a power surge on a USB port and the device has been disabled" or some such. So perhaps, at least Windows 10, seems to be able to detect power surges.
Re: (Score:2)
Probably some but not necessarily enough. It depends on how much energy the device packs. I'm guessing not much, because it uses tiny, high voltage capacitors to store energy; they're not going to be able to deliver much current.
In principle the discharge could travel through the damaged circuits of the hub, up the host cable to the computer, but damaging the hub is work and takes energy so you might luck out, although I wouldn't count on it. Instead I'd get a USB hub with electrostatic discharge (ESD) pr
How does one protect against this? (Score:2)
Re: (Score:2)
This is disturbing because it can be used to damage an unsuspecting Noob's machine and he wont know what cause it .. Not good.
When the Noob puts a random USB stick into his computer and immediately hears a buzz and a pop, and the screen goes blank, I think that the Noob should know exactly what caused it.
Guess we'll be seeing lock sales (Score:2)
I can envision computers at tradeshows being equipped with these:
http://www.amazon.com/Lindy-US... [amazon.com]
I want one. (Score:2)
Nasty (Score:2)
To protect against that, you'd need some beefy diodes or zener diodes to divert any harmful energy. Can't see MB manufacturers doing that any time soon.
Re: (Score:2)
A fuse works really well.
A whole now definition... (Score:2)
This gives us a whole new thing we can call a "Flash Drive"... Imagine the confusion this will cause..
Re:Bonus points (Score:5, Funny)
Bonus points if it has some legitmate function before it's ready to strike: 802.11n adapter, etc.
Hypothetically of course ... Just make lots and lots of these. Get a Sharpie. Label each of them with things like TAX DOCUMENTS, ACCOUNT NUMBERS, and definitely lots of them labelled PORN COLLECTION. Drop them in hotels, restaurants, restrooms, subways, bus stops, just leave them all over town. Hilarity ensues!
For more bonus points, act shocked when you hear about the mysterious computer-killing USB drives. Say you don't believe anyone would do such a thing.
Re:Bonus points (Score:5, Interesting)
make lots and lots of these
Label each of them with things like TAX DOCUMENTS, ACCOUNT NUMBERS, and definitely lots of them labelled PORN COLLECTION
Drop them in hotels, restaurants, restrooms, subways, bus stops, just leave them all over town
Open a computer repair shop
Profit!!
Re: (Score:2)
Since when do people label usb drives?
Re:Bonus points (Score:5, Funny)
Russian roulette: Get 1 killer USB and five legits and a few friends... take turns plugging into your computers.
Search and seizure revenge: "I warned you".
Re:Bonus points (Score:4, Interesting)
Re:Bonus points (Score:4, Funny)
And hub is connected to the ... ankle bone?
Re:Bonus points (Score:5, Funny)
And hub is connected to the ... ankle bone?
I tried that. The throughput was terrible. [ 0/10 do not recommend ]
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
and the people who you actually are targeting will be more likely to keep the stick plugged in long enough for it to do its damage.
Watch the video, it looks like it takes less than a second, the OS doesn't even have time to try and mount it. There's a nice ominous buzzing sound and pop that accompanies it as well.
I'd be lying if I said I didn't want to carry one of these around with me.
Re:Bonus points (Score:5, Interesting)
We had an office thief once. He would take anything and it didnt really matter the value. Shitty old drives, ram, a customers computer we were configuring and other random crap.
I simply connected every line to Vcc on an old IDE hard disk and put it inside of a desk. The person who owned the desk I told them what was going on.
Maybe two days later one of the technicians is complaining that his IDE controller no longer works. He would later admit to some drug problems and a predilection for theft.
Re: (Score:2)
No, for bonus points, whenever you check into a hotel, ask to put some items in the hotel safe, always include one of these.
Put another in the room safe.
Re:Bonus points (Score:5, Funny)
Label them in large letters 'BACKUPS', and then in small letters underneath 'always make backups!'.
Re: Bonus points (Score:2)
Then build motherboards that fry the device back.
Re: (Score:2)
The current design appears to start hitting the host as soon as it has had enough time to charge; but presumably one could have the 'legitimate' peripheral switch the killer's access to V+ on and o
Re: (Score:3)
Re: (Score:2)
It could definitely use a cord a few feet long that you can yank to retrieve it from whatever you just destroyed.
What about powered USB hubs? (Score:2)
What happens if you plug this into a powered USB hub? Does it fry the hub?
At least hub makers could (re)design their products to handle this.
Re: (Score:2)
I second the idea of dropping the Daily Mail in a bucket of tap water.
Re: (Score:2)
Way to ruin a perfectly good bucket of water..
Re: (Score:3)
Sledge hammers, axes, picks, power drills, reciprocating saws...
All relatively simple tools that accomplish the same thing if you are close enough to stick a thumb drive into a port.
No, you miss the point. You don't need access to anyone's computer.
YOU don't put the thumb dive into someone's computer. You just leave it somewhere and THEY put it into their computer.
Re: (Score:2)
Sledge hammers, axes, picks, power drills, reciprocating saws... All relatively simple tools that accomplish the same thing if you are close enough to stick a thumb drive into a port.
The idea is you trick someone into destroying their own computer by sending them an innocent looking device. From reading the comments here, I ask: how fucking hard to understand could this possibly be? Lots of people failed to grasp the concept and that's a shame because it's such a simple one.
Here's a hint for you, one of those life hints that will serve you well: if you think you found the great big obvious thing that everybody else overlooked because you are just so clever -- it usually means you
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Insightful)
People ask on forums that are full of context-experts, instead of reverting to Google/Bing/etc. results that are full of context-amateurs, because they don't want to waste their time becoming a context-expert themselves as they would need to do in order to effectively filter the Google/Bing/etc. results.
Note: if you can post a stupid statement to Slashdot, you should be able to reach your brain and extract the knowledge you have. If there is ever a rare network failure causing you to be able to type but not
Re: (Score:2)
Except that in this case, the "line voltage" is 5V DC.
It's USB.
The whole 110 / 220 volt thing in the GP's post was a joke.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not very. USB has overcurrent protection on ports by design, so they will simply shut down.
Re: (Score:2)
Re: (Score:2)
Maybe. Keep in mind that nowadays overcurrent protection is normally implemented on the USB controller itself so it is not a premium feature by any stretch.
In any case it would certainly not hurt a Thinkpad.
Re: (Score:2)
In case you weren't paying attention to the video in the article, the demo laptop WAS a Thinkpad.
And it was thoroughly HOSED.
Re: (Score:2)
Yes, by overvoltage. Not overcurrent, which is what the parent proposed.
Pay attention.
Re: (Score:2)
For Pete's sake. Do you understand what happens when you short the +V rail into ground?
Some reference material for you [wikipedia.org].
Also, if voltage is what kills electronics i invite you to randomly start shorting connectors on your motherboard with a piece of wire. Delta V = zero. You'll have a lot of fun, i promise.
Re: (Score:2)
"Also, if voltage is what kills electronics i invite you to randomly start shorting connectors on your motherboard with a piece of wire."
You apparently fail at understanding what ESD is.
Re: (Score:2)
I understand perfectly what ESD is. I'm just not stupid enough to suggest that electronics can only be killed by overvoltage, which is what you proposed. In caps.
Seriously, you're arguing over things you evidently do not understand.
Re: (Score:2)
"I'm just not stupid enough to suggest that electronics can only be killed by overvoltage, which is what you proposed"
Pay attention. I didn't say that was the ONLY way. QUOTE ME ON WHERE IT WAS STATED AS SUCH.
You're fucking inserting words where they are not fucking stated. You are WRONG.
Re: (Score:2)
Sure:
No, you need to pay attention. Maybe take a few EE classes or something. VOLTAGE is what kills electronics. Hence VOLTAGE is what is being implied. YOU pay attention.
I took EE classes when i got my engineering degree. Voltage kills electronics alright, but it is not "what kills electronics" alone - see overcurrent, thermal damage, electromigration, overstress and semiconductor degradation for a couple other examples. And finally, no, voltage is NOT what the parent was implying when he proposed shorting the power (positive) terminal into ground.
I don't feel like arguing over semantics any longer. II'd suggest you read a bit on the subject though (it is quite interes
Re: (Score:2)
" And finally, no, voltage is NOT what the parent was implying when he proposed shorting the power (positive) terminal into ground."
There you go, reading into what someone says and talking without proper information.
" II'd suggest you read a bit on the subject though (it is quite interesting) and tone down the moral superiority on your replies in the meantime."
I design and repair electronics systems. I've worked for Google doing such. I design power distribution systems and horticultural automation systems.
Re: (Score:2)
Don't need to. What the OP asked is "what happens when you short the positive and negative terminals on an USB port?". The answer is it shuts down, and the reason is that the overcurrent protection kicks in.
All the mumbo jumbo about voltage was introduced by you, out of the blue. I honestly have no idea why.
Re: (Score:2)
"When you short the positive and ground terminals of a USB port, you don't magically increase the voltage"
No, but you'll quite often kill the system because now you've got a constant power feed loop just generating shit tons of heat in the chip since it's going nowhere. Take a typical 3.7V e-cig atomizer coil, wire it up to hook to the 5V and ground terminals of a USB plug, plug it in, and activate it. Within five seconds your system will shut down and you'll likely have damage done to your ports, headers,
Re: (Score:2)
You wont. A e-cig coil is nothing but a loop of heating wire with low resistance (between 1 and 4 ohms) and negligible inductance - it would effectively short the USB power output for that port, triggering the overcurrent protection and shutting it down in the process.
Re: (Score:3)
Dead USB port, at most. And most (if not all) USB ports nowadays have self-resetting overcurrent protection so there would be no permanent damage.
Re: (Score:2)
So I've got a vaporizer coil on a USB cable. Here's a USB 3.0 system. It's dead, Jim. Self-resetting protection means there's some way for power to leak versus a true fusible link which blows in its entirety.
Re: (Score:3)
OverCURRENT, *NOT* overVOLTAGE.
This is a voltage-based attack. Imagine an ESD except it's deliberately fed into the system instead of accidentally conducted through minor plasma arcing.
Re: (Score:2)
I had a laptop where the one of the plastic tabs in the usb port that the contacts are mounted to broke off. Inserting a plug into that port almost always caused a short of the 5v line to ground and the laptop would instantly turn off. Aside from having to reboot and any file system corruption that goes along with an unclean shut down, no harm was ever noticed.
Re: (Score:2)
No, he means accidentally shorting the terminals on the USB killer stick.
Basically shorting a small capacitor. The summary says "With the help of a voltage converter the device's capacitors are charged to 220V" which is next to useless if you don't know what size the capacitor is. Equally useless is "pumping voltage into the computer". Yeah without the number of milliamps there is no way to tell.
My guess is the thing has to look like a real usb stick, so it will probably just give a small spark and be done.
Re: (Score:2)
Re: (Score:3)
The USB spec requires that auto-resetting overcurrent protection be provided but it doesn't require it to be specific to an individual port. So a shorted USB device can knock out several ports but is unlikely to bring down the whole computer (unless it's something like a raspberry pi).
Re: (Score:2)
The USB spec requires that auto-resetting overcurrent protection be provided but it doesn't require it to be specific to an individual port. So a shorted USB device can knock out several ports but is unlikely to bring down the whole computer (unless it's something like a raspberry pi).
Wouldn't "overcurrent protection" in the USB spec mean, "shut off if a connected device is trying to drain too much power (amperage) from the USB power pins"? Akin to your home's circuit breaker that prevents overloads?
It apparently does not mean, "shut off if a connected device unexpectedly has its own independent power source and applies it to the data pins". Normally a device plugged into a USB port drains power from that port and does not independently supply it.
Re: (Score:2)
It apparently does not mean, "shut off if a connected device unexpectedly has its own independent power source and applies it to the data pins". Normally a device plugged into a USB port drains power from that port and does not independently supply it.
You're right. But that is not overcurrent nor the case the parent was proposing.
Re: (Score:2)
Wouldn't this be fraud? I mean you intentionally break a working device and then claim somebody else has to pay for a new and better one. I highly suspect you could end up in jail if you are caught doing a scam like that.
Re: (Score:3)
It sure is but, as long as it was only a few devices, how would you get caught? You would have to do something moronic like post about it on a forum or something.
Re: (Score:2)
Wow, admitting to felony fraud on a public forum while logged in. Great idea!