Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security Data Storage Hardware Hacking Hardware

USB Killer 2.0: a Harmless-Looking USB Stick That Destroys Computers 229

An anonymous reader writes: Plugging in random USB sticks in your computer has never been more dangerous, as a researcher who goes by the name Dark Purple has demonstrated his new device: USB Killer 2.0. When plugged into a computer, the deadly USB draws power from the device itself. With the help of a voltage converter the device's capacitors are charged to 220V, and it releases a negative electric surge into the USB port. This surge "fries" the USB port and, in the researcher's demonstration, the motherboard — perhaps not always after the first surge, but the malicious USB device repeats the process until no more power can be drawn.
This discussion has been archived. No new comments can be posted.

USB Killer 2.0: a Harmless-Looking USB Stick That Destroys Computers

Comments Filter:
  • by RobinH ( 124750 ) on Thursday October 15, 2015 @09:44AM (#50735009) Homepage
    If you have local access to the PC you could just use a sledgehammer. The old 120V into the network port almost always fries the NIC as well. The fact that someone with physical access can damage your PC shouldn't be a big surprise.
    • by 0123456 ( 636235 ) on Thursday October 15, 2015 @09:46AM (#50735033)

      Uh, no, it doesn't. You just drop a few of these in the parking lot outside a company, and wait for people to pick them up and stick them in their PC.

      • Uh, no, it doesn't. You just drop a few of these in the parking lot outside a company, and wait for people to pick them up and stick them in their PC.

        And then fire their asses for being enough of a dumbfuck to use a USB stick they found in a parking lot.

        • by Rob MacDonald ( 3394145 ) on Thursday October 15, 2015 @10:07AM (#50735211)
          Worked for Stuxnet and most other state sponsored cyber attacks. Just saying. We recently ran a "security awareness" month at the UNI I work for, giving away free flash keys to students who could show us their phone was secured at least with a password or pattern. They seemed surprised that no one bothered and most people told them they are too lazy to have to swype a pattern to unlock their phones. My suggestion was to custom build some pseudo malware, load it on those flash keys, or a set of flash keys, and leave them around campus. Nothing nefarious would happen to the user who did insert it other than an autorun popup informing them that we could have owned them right there if we wanted. The didn't go with my plan, I might still do it on my own. I'm nice like that, when I taught myself to crack into WEP and weak WPA access points that had the management page accessible over wifi and the default admin passwords set, I promptly change their SSID and passwords, letting them know they need to lock that shit down. I'm nice like that
          • by 140Mandak262Jamuna ( 970587 ) on Thursday October 15, 2015 @10:50AM (#50735657) Journal

            My suggestion was to custom build some pseudo malware, load it on those flash keys, or a set of flash keys, and leave them around campus. Nothing nefarious would happen to the user who did insert it other than an autorun popup informing them that we could have owned them right there if we wanted.

            Don't do it on your own. Don't do it with serious back up and written guarantee for support from higher ups. What you are doing is very similar to finding homes with unlatched/unlocked back porches, walking in sitting in the living room sofa and shouting boo when the home owners walk in. No matter how sensible and helpful your advice is, the homeowners are going to be jumpy, irritated, made to look like fools and they will hate you intensely.

            Try to do it differently. Create these USB warning devices as you planned, but give them to students, tell them what it does and ask them to "educate" their friends and relatives. Watermark each device so that they don't prank unsuspecting people.

          • by Kokuyo ( 549451 )

            So in your world accessing an open website with default credentials counts as 'cracking'?

            • If you live in the same world as Andrew Auernheimer (for slightly different but very related case), then yes, the jury does seem to think that accessing unsecured data that someone else doesn't want you to counts as 'cracking' and can lead to jail time.

        • I wonder how many of these people would also inject themselves with a syringe filled with glowing green goo they happened to find labeled "Super-serum"?

        • And, yet, it apparently works [zdnet.com]. As in people have done it before. And, if dropping them in the parking lot doesn't work, stamp a logo on them, put them in a package with official looking marketing glossy, and send them as targeted attacks.

          See, the problem is the humans are always the weak links in your chain.

          Of course, you can't target what machines might be impacted. But if the general plan is mayhem, that's always easy to achieve.

      • Except that even if they follow policy and hand them into cyber security, the cyber guys will want to know if they have company information on them, and their computer gets fried!

      • by Darinbob ( 1142669 ) on Thursday October 15, 2015 @04:03PM (#50738351)

        Someone left a sledgehammer lying in the parking lot. Cool, I thought. So I picked it up, went inside, then smashed my computer. Whoops, I was fooled.

    • The concern is not that I will sneak into your room and use my deadly USB killer on your computer.

      Instead, the concern is that someone (like say Uber) will print up 300 USB Killers, perhaps with a label that says something like "best porn", and scatter them around the competition's headquarters (like say Lyft - or vice versa).

      Then some curious Vice President or CEO picks them up and puts them in his computer...

      Found USB sticks - the poor man's 'super hack'.

    • by xxxJonBoyxxx ( 565205 ) on Thursday October 15, 2015 @09:48AM (#50735057)

      >> someone with physical access can damage your PC

      This isn't a local access attack, though. Instead, you label your attacking USB stick with your target company's name and leave it in the parking lot or at a restaurant where you know a lot of your target's employees visit. Some foolish altruist will frequently pick it up and shove it into their computer when they get back to the office. This kind of thing works great for infecting someone's computer with command-and-control malware; if anything this "wreck the computer" attack seems less useful.

      • if anything this "wreck the computer" attack seems less useful.

        Imagine that you're a CIO tasked with protecting data worth billions of dollars.

        Drop a few of these in the parking lot or cafeteria, and write off a few $800 Dells to find and eliminate the employees who cannot be trained to not do stupid things that will severely damage the company.

        I'd do it.

    • This attack is hardly high on my list of concerns(since, as you say, there are more unpleasant things to do if you have access); but it might be an issue for 'kiosk' type systems.

      If you go into a CVS or other place that does photo printing, they usually have a couple of computers so you can plug in your camera or flash drive and self-serve, maybe do a few cheesy edits. Kinkos and the like do the same thing for printing from or scanning to flash drives. Those are the sorts of places where you can't really
    • It's easier than that in most of Europe (well, things might have improved since I left but...)

      Once upon a time a friend of mine was leaving the company. He didn't much care for my co-worker, who sat next to me, and nor did most of the rest of the company. So on his way out, passing by our desks, he quietly flipped the voltage selector on the PSU of my co-workers PC, which was at the time (and possibly now?) on the outside of the case at the rear of the PC where virtually anyone can access it, from 220V t

    • If you have local access to the PC you could just use a sledgehammer.

      Yeah, I suppose you could carry a 10 pound sledgehammer around and spend time beating a computer and making plenty of noise doing it. Or, you could carry a USB stick a few grams in your pocket and take a second to fry the electronics while making hardly any noise (depending on what you're frying, of course).

      You can also carry a gun and just shoot the computer. Or throw it out a window, or into water. All of those "use cases" for computer destruction are different than the use case for the USB stick.

      The fact that someone with physical access can damage your PC shouldn't be a big surprise.

      That'

  • ... news on the CD which when hit with an infrared laser causes the embedded explosives to detonate!

  • by thinkwaitfast ( 4150389 ) on Thursday October 15, 2015 @09:55AM (#50735109)
    This is the best that I could find (in 6 seconds or less)

    http://i.ebayimg.com/00/$(KGrH... [ebayimg.com]

  • by jeffb (2.718) ( 1189693 ) on Thursday October 15, 2015 @09:55AM (#50735115)

    If you believe that any unfamiliar USB stick looks "harmless", you clearly haven't been paying attention.

    • ya-know - another idea might be to charge the device to a higher voltage - and then have metal edges exposed through the stick. So that the shock is delivered to the User when they attempt to pull it out.

      The stick would do nothing to the computer - maybe even be empty or show an error. But zap the user could be the prank.

      Kind of a whoopie cushion for computers. Oooh oooh - it could emit blue smoke !!

      Yup - I see this being available for April 1 next year.

  • So we're not even reading TFS anymore peeps?

    Plugging in random USB sticks in your computer has never been more dangerous

    I think the point of this hack is to catch people who pick up random sticks and see whats on them, something I would never, ever do. Nothing to do with needing physical access to the machine, the rube who picked the stick up is all the "access" you need. Someone up there has already made the suggestion of using them for corporate sabotage (Uber vs Lyft), scattering these things around the right place could cause all sorts of drama.

    Also, that poor thinkpad :(

  • It has been discovered that repeatedly dropping a 20 pound sledgehammer on your laptop's keyboard is equally harmful.

  • BREAKING NEWS (Score:3, Insightful)

    by bsdasym ( 829112 ) on Thursday October 15, 2015 @10:02AM (#50735169)
    Plugging random things into your computer can damage it.

    Be sure to watch our followup segment on what could be in that suspicious red can you found labeled "free gas!" The results are horrifying!
  • My question is, why would someone want to do this in the first place? Yes, it's possible, but destroying someone's computer is generally not profitable to the attacker. It's much more valuable to take over a computer for a botnet, to steal information, or hold information hostage. So while this is possible, I don't see it ever becoming a real problem. The only situation I could see is in trying to hurt competition or good old fashioned revenge. I have to believe the oldest danger is still the most real
  • There should be extension cables that would have a trip switch for voltages that are that high. Trip switches should really be included in the computing device itself, really. Since when people connect light bulbs or any appliance directly to the main generator without anything inbetween?

    • by Khyber ( 864651 )

      "Since when people connect light bulbs or any appliance directly to the main generator without anything inbetween?"

      All the time. Welding is one example. Incandescent lights don't need anything more than the right voltage and some current. If that genhead is pushing ~170V peak to peak then pretty much anything US power-based plugged right in will work.

    • A couple of MOV's and a fuse or two will do the trick... If you insist, a "crowbar" circuit that shorts the pins to ground if the voltage exceeds about 10 volts. Easy fix with a handful of components if the board makers wanted to.

      I just seriously doubt this idea will catch on. It's too expensive to duplicate the devices, the device is physical evidence which could aid in tracing it to it's source and the result is basically vandalism so it's of little use to the criminals looking for a profit.

  • Do USB hubs sufficiently insulate computers from this attack?

    • I broke a front USB port recently - my headphones were connected, I tripped on the cable and a jerk twisted the USB port.
      Windows 10 reported an error on screen that "There has been a power surge on a USB port and the device has been disabled" or some such. So perhaps, at least Windows 10, seems to be able to detect power surges.

    • by hey! ( 33014 )

      Probably some but not necessarily enough. It depends on how much energy the device packs. I'm guessing not much, because it uses tiny, high voltage capacitors to store energy; they're not going to be able to deliver much current.

      In principle the discharge could travel through the damaged circuits of the hub, up the host cable to the computer, but damaging the hub is work and takes energy so you might luck out, although I wouldn't count on it. Instead I'd get a USB hub with electrostatic discharge (ESD) pr

  • Can this be identified by physical examination? This is disturbing because it can be used to damage an unsuspecting Noob's machine and he wont know what cause it .. Not good.
    • This is disturbing because it can be used to damage an unsuspecting Noob's machine and he wont know what cause it .. Not good.

      When the Noob puts a random USB stick into his computer and immediately hears a buzz and a pop, and the screen goes blank, I think that the Noob should know exactly what caused it.

  • I can envision computers at tradeshows being equipped with these:
    http://www.amazon.com/Lindy-US... [amazon.com]

  • Seriously. People keep "borrowing" USB flashes from me all the time.
  • by dskoll ( 99328 )

    To protect against that, you'd need some beefy diodes or zener diodes to divert any harmful energy. Can't see MB manufacturers doing that any time soon.

  • This gives us a whole new thing we can call a "Flash Drive"... Imagine the confusion this will cause..

Promising costs nothing, it's the delivering that kills you.

Working...