Slashdot Mirror
USB Killer 2.0: a Harmless-Looking USB Stick That Destroys Computers
An anonymous reader writes: Plugging in random USB sticks in your computer has never been more dangerous, as a researcher who goes by the name Dark Purple has demonstrated his new device: USB Killer 2.0. When plugged into a computer, the deadly USB draws power from the device itself. With the help of a voltage converter the device's capacitors are charged to 220V, and it releases a negative electric surge into the USB port. This surge "fries" the USB port and, in the researcher's demonstration, the motherboard — perhaps not always after the first surge, but the malicious USB device repeats the process until no more power can be drawn.
Bonus points if it has some legitmate function before it's ready to strike: 802.11n adapter, etc.
So the first version only generated 110v while the second generated 220v, is this because of the different USA/Europe markets?
If you have local access to the PC you could just use a sledgehammer. The old 120V into the network port almost always fries the NIC as well. The fact that someone with physical access can damage your PC shouldn't be a big surprise.
"I have never let my schooling interfere with my education." - Mark Twain
I haven't done so and I won't, how bad will it be if the positive and ground terminals were shorted?
... news on the CD which when hit with an infrared laser causes the embedded explosives to detonate!
This is from the Daily Mail not the best British of newspapers. It making these takes lot of time and effort, dropping it in a bucket of tap water would be lot cheaper
Sledge hammers, axes, picks, power drills, reciprocating saws...
All relatively simple tools that accomplish the same thing if you are close enough to stick a thumb drive into a port.
Uh, no, it doesn't. You just drop a few of these in the parking lot outside a company, and wait for people to pick them up and stick them in their PC.
This was never a problem with passive media like CD-ROM. The worst that might happen is that a CD could be fabricated to shatter when it spins, but that would only damage the CD-ROM drive, not the motherboard.
Instead, the concern is that someone (like say Uber) will print up 300 USB Killers, perhaps with a label that says something like "best porn", and scatter them around the competition's headquarters (like say Lyft - or vice versa).
Then some curious Vice President or CEO picks them up and puts them in his computer...
Found USB sticks - the poor man's 'super hack'.
excitingthingstodo.blogspot.com
>> someone with physical access can damage your PC
This isn't a local access attack, though. Instead, you label your attacking USB stick with your target company's name and leave it in the parking lot or at a restaurant where you know a lot of your target's employees visit. Some foolish altruist will frequently pick it up and shove it into their computer when they get back to the office. This kind of thing works great for infecting someone's computer with command-and-control malware; if anything this "wreck the computer" attack seems less useful.
http://hackaday.com/2015/10/10...
YOU have physical access to your computer. YOU insert the "Free USB stick" you received totally free from the attacker. The attacker doesn't need to access your computer himself.
I did something similar a few years back. I worked for a certain "fruit"-based tech company that has (had?) a policy in place that said if we repaired the same piece of hardware, through no detectable fault of the owner, 3 times in a 12 month period, that the customer was to get a brand new current model computer for free. So in an effort to get upgraded stuff for my family and friends, I spliced an AC power plug to a Cat5 ethernet cable. When I'd plug them all together, it would usually trip the breaker on the electrical panel and sometimes blow sparks out of the ethernet port, but within one or two attempts the logic board (or motherboard for you non-"fruit" techs) would be fried and no one was ever the wiser. o.0
http://i.ebayimg.com/00/$(KGrH...
If you believe that any unfamiliar USB stick looks "harmless", you clearly haven't been paying attention.
Uh, no, it doesn't. You just drop a few of these in the parking lot outside a company, and wait for people to pick them up and stick them in their PC.
And then fire their asses for being enough of a dumbfuck to use a USB stick they found in a parking lot.
If people are picking up USB devices in the parking lot and plugging them into their work computers then a destroyed motherboard and USB port is hardly the worst consequence of this scenerio. Access to the data on the computer on what they can access with that computer would be much more damaging.
Plugging in random USB sticks in your computer has never been more dangerous
I think the point of this hack is to catch people who pick up random sticks and see whats on them, something I would never, ever do. Nothing to do with needing physical access to the machine, the rube who picked the stick up is all the "access" you need. Someone up there has already made the suggestion of using them for corporate sabotage (Uber vs Lyft), scattering these things around the right place could cause all sorts of drama.
:(
Also, that poor thinkpad
[Sorry, this signature is unavailable in your country/region]
I think the dangers are
1) A sledgehammer is very noticable, whereas a small USB device could be used to discretely (asuming the 220v surge doesn't create a sparking, popping, or other visable/audible indication) destroy computers in a public place (like a library). It may not seem like much of a difference, but you know how it is...give a script kiddie an easy to use tool and they'll cause mayhem just for the heck of it. I'm sure some a-hole will start selling these devices on ebay or something to make them easy to get your hands on
2) Speaking of selling on ebay, I could also see some ahole selling these on ebay, pretending they are legit devices. If they wanted to maximize the mayhem, they'd do something like make it wait until after a certain date, or until the 100th power up before it does the damage, so that you could first get a lot of them out there before the destruction starts. And as a benefit, that would make it more difficult to locate the source of what went wrong (the vast majority of users would have no idea what went wrong, unless they had multiple computers destroyed by it and could start to connect the dots).
3) I could also see someone leaving these around in various places for unsuspecting people to pickup and plug into their computer. I know I've done that before...found a usb stick and plugged it in to try to find out who it belongs to.
It has been discovered that repeatedly dropping a 20 pound sledgehammer on your laptop's keyboard is equally harmful.
"Evil will always triumph over good, because good is dumb." - Dark Helmet (Spaceballs)
Then some curious Vice President or CEO picks them up and puts them in his computer...
... and a company with 6-digit expenses has to add a low 4-digit expense to their list, with an extra 4 hours of restoring the backup. During those 4 hours, the VP has a discussion with IT about the dangers of plugging unknown devices into computers of any kind, and requests a resend of all relevant communications since the last nightly backup.
Since the damage is contained to one system, and nothing is stolen, this attack is about as disruptive as an unexpected hardware failure. Which, honestly, it is. If a lot of employees try to use death-sticks like these, then it has the potential to become a catastrophic hardware failure situation.
Plugging random things into your computer can damage it.
Be sure to watch our followup segment on what could be in that suspicious red can you found labeled "free gas!" The results are horrifying!
And companies are absolute shit at keeping stuff secret. When it becomes public that company A pulled this stunt, company A will be sued out of existence.
I'm a good cook. I'm a fantastic eater. - Steven Brust
Worked for Stuxnet and most other state sponsored cyber attacks. Just saying. We recently ran a "security awareness" month at the UNI I work for, giving away free flash keys to students who could show us their phone was secured at least with a password or pattern. They seemed surprised that no one bothered and most people told them they are too lazy to have to swype a pattern to unlock their phones. My suggestion was to custom build some pseudo malware, load it on those flash keys, or a set of flash keys, and leave them around campus. Nothing nefarious would happen to the user who did insert it other than an autorun popup informing them that we could have owned them right there if we wanted. The didn't go with my plan, I might still do it on my own. I'm nice like that, when I taught myself to crack into WEP and weak WPA access points that had the management page accessible over wifi and the default admin passwords set, I promptly change their SSID and passwords, letting them know they need to lock that shit down. I'm nice like that
Another great thing you can try: Pour sugar into a car's tank. Or how about this one: Throw a stone into a window. Most windows are not designed to withstand such a clever attack. WTF folks.
If people are picking up USB devices in the parking lot and plugging them into their work computers then a destroyed motherboard and USB port is hardly the worst consequence of this scenerio. Access to the data on the computer on what they can access with that computer would be much more damaging.
For whom? Access to the data is an "externality" since it will never be traced to them and will probably only lose their company some money. Having your motherboard explode at the same time as many other people did so by plugging in a USB dongle might lose them their job. I think that's probably alot more important to them.
#4: Go to local retail store which has a big bin of discounted sticks. Buy some, modify them, put them back.
>> someone with physical access can damage your PC
This isn't a local access attack, though. Instead, you label your attacking USB stick with your target company's name and leave it in the parking lot or at a restaurant where you know a lot of your target's employees visit. Some foolish altruist will frequently pick it up and shove it into their computer when they get back to the office. This kind of thing works great for infecting someone's computer with command-and-control malware; if anything this "wreck the computer" attack seems less useful.
Less useful, except for one purpose: teaching them a valuable lesson about trust or at least verification. By contrast most malware tries not to be detected.
I've heard it said that few things would benefit internet security as a whole, more than a virulent piece of malware that spreads for a while and then cryptographically wipes every writable volume on the machine (like the "bcwipe" utility). Then insecure machines run by the incompetent would be taken offline instead of participating in botnets and their owners would know with certainty that yes, there is a problem. Considering these are the same people who tend not to have good backups, it would be a lesson not soon forgotten. The whole "the computer is slow but that's normal they all do that after a while derp" affair is only increasing botnet membership which creates problems for those who have their shit together and therefore don't deserve them.
But it's not a hack. Is smashing at router with a hammer a hack? This is pure destruction, no real hack involved. It's much more efficient to deliver your malware via those keys instead of just straight up trying to fry whatever you are connected to. That gives you away as soon as you insert it, and doesn't really do much because no enterprise relies on local storage on client machines, all the data is backed up, hosted in clusters, and perfectly usable. I suspect this "attack" much like the same deal but with an ethernet port, would probably be stopped by most PoE routers/switches as they typically have some surge protection. They detect voltages and resistance and determine the class of PoE device by the resistance offered, each port is configured for a min and max allowance. I don't see this getting past one of those. It seems nasty and scary but is effectively useless.
My question is, why would someone want to do this in the first place? Yes, it's possible, but destroying someone's computer is generally not profitable to the attacker. It's much more valuable to take over a computer for a botnet, to steal information, or hold information hostage. So while this is possible, I don't see it ever becoming a real problem. The only situation I could see is in trying to hurt competition or good old fashioned revenge. I have to believe the oldest danger is still the most realistic: hidden viruses that are much less obvious.
The stick could download crap from the network and send it out over the Internet first, then fry the computer when it's done to destroy any evidence.
Except that even if they follow policy and hand them into cyber security, the cyber guys will want to know if they have company information on them, and their computer gets fried!
love is just extroverted narcissism
Give the stick to some secretary and you can use THEIR physical access. Good luck leaving sledgehammers in the parking lot and hoping the local employees bash the computers with them.
The real evil will not the data that is lost (probably none, since you run your station from a VDI somewhere in the enterprise cloud), the real evil is getting a 3-4 digit amount approved to spend.
There should be extension cables that would have a trip switch for voltages that are that high. Trip switches should really be included in the computing device itself, really. Since when people connect light bulbs or any appliance directly to the main generator without anything inbetween?
Do USB hubs sufficiently insulate computers from this attack?
-- I was raised on the command line, bitch
Can this be identified by physical examination? This is disturbing because it can be used to damage an unsuspecting Noob's machine and he wont know what cause it .. Not good.
The secretary is going over the disavowing guidelines in the employee handbook.
Use a mini hub.
Is going to say just take a sledge hammer to the computer. sigh.
I can envision computers at tradeshows being equipped with these:
http://www.amazon.com/Lindy-US...
My suggestion was to custom build some pseudo malware, load it on those flash keys, or a set of flash keys, and leave them around campus. Nothing nefarious would happen to the user who did insert it other than an autorun popup informing them that we could have owned them right there if we wanted.
Don't do it on your own. Don't do it with serious back up and written guarantee for support from higher ups. What you are doing is very similar to finding homes with unlatched/unlocked back porches, walking in sitting in the living room sofa and shouting boo when the home owners walk in. No matter how sensible and helpful your advice is, the homeowners are going to be jumpy, irritated, made to look like fools and they will hate you intensely.
Try to do it differently. Create these USB warning devices as you planned, but give them to students, tell them what it does and ask them to "educate" their friends and relatives. Watermark each device so that they don't prank unsuspecting people.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
So in your world accessing an open website with default credentials counts as 'cracking'?
Seriously. People keep "borrowing" USB flashes from me all the time.
This attack is hardly high on my list of concerns(since, as you say, there are more unpleasant things to do if you have access); but it might be an issue for 'kiosk' type systems.
If you go into a CVS or other place that does photo printing, they usually have a couple of computers so you can plug in your camera or flash drive and self-serve, maybe do a few cheesy edits. Kinkos and the like do the same thing for printing from or scanning to flash drives. Those are the sorts of places where you can't really get out a hammer or just plug one end of a cord into the wall and the other end into the USB port; but plugging in a flash drive and playing the hapless technophobic customer who doesn't understand why it isn't working if anyone confronts you would be doable.
Still a lot of trouble for a little petty destruction; but we are talking about humans here.
All the evidence apart from the logs held on the hard disk...
To protect against that, you'd need some beefy diodes or zener diodes to divert any harmful energy. Can't see MB manufacturers doing that any time soon.
It is a 'social hack' in that you trick someone into doing something nefarious. One wouldn't plug these devices into computers themselves, that would be silly. The goal is to get others to fry their own machines.
Like someone else posted earlier, you could have malware on this too. If the malware was successfully installed, it does _not_ trigger the self-destruct (so the malware can exfiltrate data), but if the malware fails to embed itself, the USB device fries the machine.
Depends on your aim. Malware isn't going to harm them directly. It'll slow down the computer but they'll likely detect and quarantine it. More useful is targetted espionage, collecting files, password, key strokes etc. But that's if they have information you want. If your only aim is to harm the company (disgruntled ex-employee / fed up customer) then you might be happy with just costing them money to replace their hardware. Bonus points if they brick several computers before they realise it's the dongle.
I wonder how many of these people would also inject themselves with a syringe filled with glowing green goo they happened to find labeled "Super-serum"?
Irony: Agile development has too much intertia to be abandoned now.
It's easier than that in most of Europe (well, things might have improved since I left but...)
Once upon a time a friend of mine was leaving the company. He didn't much care for my co-worker, who sat next to me, and nor did most of the rest of the company. So on his way out, passing by our desks, he quietly flipped the voltage selector on the PSU of my co-workers PC, which was at the time (and possibly now?) on the outside of the case at the rear of the PC where virtually anyone can access it, from 220V to 110V.
Which might have been slightly funny, if abusive and unprofessional, except the fucker got the PC wrong and killed my PC instead (or rather, I did when I turned my PC on in the morning.)
I got a free drink and many apologies after it was discovered what had happened. So there's that.
You are not alone. This is not normal. None of this is normal.
That may be "nice" but never let that sort of activity be traceable. Still counts as "hacking" to people who would spend time and money prosecuting you
If you live in the same world as Andrew Auernheimer (for slightly different but very related case), then yes, the jury does seem to think that accessing unsecured data that someone else doesn't want you to counts as 'cracking' and can lead to jail time.
#include "standard_disclaimer.h"
The method of delivery is a hack. The payload isn't.
And, yet, it apparently works. As in people have done it before. And, if dropping them in the parking lot doesn't work, stamp a logo on them, put them in a package with official looking marketing glossy, and send them as targeted attacks.
See, the problem is the humans are always the weak links in your chain.
Of course, you can't target what machines might be impacted. But if the general plan is mayhem, that's always easy to achieve.
Lost at C:>. Found at C.
You talk about planning to commit a felony, and your profile appears to use your real name, Rob MacDonald. Are you an idiot?
I'm just going to leave this here: http://www.fiftythree.org/etherkiller/
That's why you make it erase the HD first then fry it. Come on, you know this.
This gives us a whole new thing we can call a "Flash Drive"... Imagine the confusion this will cause..
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
no enterprise relies on local storage on client machines
Hey, don't make me shoot coffee out my nose!
What happens if you plug this into a powered USB hub? Does it fry the hub?
At least hub makers could (re)design their products to handle this.
I come here for the love
Looks like it could be used to deliberately zap your own PC if it seemed imminently threatened with physical seizure by "authorities"...
If you have local access to the PC you could just use a sledgehammer.
Yeah, I suppose you could carry a 10 pound sledgehammer around and spend time beating a computer and making plenty of noise doing it. Or, you could carry a USB stick a few grams in your pocket and take a second to fry the electronics while making hardly any noise (depending on what you're frying, of course).
You can also carry a gun and just shoot the computer. Or throw it out a window, or into water. All of those "use cases" for computer destruction are different than the use case for the USB stick.
The fact that someone with physical access can damage your PC shouldn't be a big surprise.
That's not what this story is about. The headline doesn't say "man figures out how to damage computer".
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
It worked for Google...no jail time.
ATMs have USB ports. I'm just sayin'...
Was that the ../../ in the address bar guy?
One better, how about making it look like HP Smart Start.... ouch
if anything this "wreck the computer" attack seems less useful.
Imagine that you're a CIO tasked with protecting data worth billions of dollars.
Drop a few of these in the parking lot or cafeteria, and write off a few $800 Dells to find and eliminate the employees who cannot be trained to not do stupid things that will severely damage the company.
I'd do it.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
In the early 1990s, before USB, there was a push for parallel port dongles and ISA port cards. The company I was working for at the time was about to do exactly this -- the software would be scanned and the CRCs executables sent to the dongle or card. If they didn't match, the card would use a voltage multiplier to fry the computer. Since this was noted in the EULA that "physical damage can occur if the software is tampered with",
TFA said there was a previous version that was 110V. They probably changed the charge pump / aconverter design to increase the zap voltage.
Totally useless technology produced from a malicious waste of time. Destroying things is very, very easy. Try doing something that makes a difference in our survival.
~daedlanth
So always ask for expense report so you know where your money is going.
Stuxnet was most definitely deployed by spies working inside the enrichment facility.
RIP Thinkpad
TSA: "We're going to have to take a look through all your laptops, memory devices and phones, sir."
Didn't they just have a big computer outage recently?
Because this is how you get incarceration.
Make sure everyone's vote counts: Verified Voting
Very likely. Why overvolt by 30.5x when you can go all the way to 61x?
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Why is this even a thing? It's in no way ingenious, just destructive. Voltage doublers/transformers are old school - how do you think camera flashes work? This is just another case of $OLD_INVENTION "... in a USB stick!" syndrome.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
We recently ran a "security awareness" month at the UNI I work for, giving away free flash keys to students who could show us their phone was secured at least with a password or pattern. They seemed surprised that no one bothered and most people told them they are too lazy to have to swype a pattern to unlock their phones.
Did they also ask if the students that didn't bother had anything important on their phone? Perhaps they realized that password and patterns are easily circumvented and instead made sure that anyone who got access to the phone didn't get anything important.
Perhaps they never leave their phone unattended and decide that that security is enough. It's not like my house or car keys are protected by a pin-code, and those are far more important than my phone.
Essentially, they could easily have made a far more advanced security decision than what was tested for.
Yeah, even if it wasn't one of these devices from TFA, that's still a pretty stupid thing to do. For all you know there could be kiddie porn on it. And you're sticking that thing in your work PC with all the associated monitoring that comes with the territory?
"I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
But I use a Mac running OS X... I'm immune to this, right? /sarcasm
Couldn't the same thing be applied to micro USB and kill cell phones? Though I suppose it may take longer time to build the necessary charge.
Someone left a sledgehammer lying in the parking lot. Cool, I thought. So I picked it up, went inside, then smashed my computer. Whoops, I was fooled.
Or label it with "Widgets Inc Salary Data". Nobody can resist taking a peek at that.
if anything this "wreck the computer" attack seems less useful.
Imagine that you're a CIO tasked with protecting data worth billions of dollars.
Drop a few of these in the parking lot or cafeteria, and write off a few $800 Dells to find and eliminate the employees who cannot be trained to not do stupid things that will severely damage the company.
I'd do it.
Ya, watch the person you catch to be the CEO.
Why do you think Apple did TouchID? It was because Apple realizes that most people don't use a PIN code or whatever because it's a hassle. And looking at usage patterns of phones, it's not really a big surprise - those things are used literally 1000 times a day for seconds to minutes per use. Entering even a 4 digit PIN 1000 times a day gets old, quick.
So most people don't actually use it.
Apple realized the only way to fix this is to have some sort of thing where users don't have to do anything - unlocking their phone happens automatically within seconds of picking it up.
Doing this means users can have a PIN (or even a complex one!) to lock their phone, yet still have the convenience of being able to use their phone at a moment's notice.
Because having a PIN is way better than not having one. And having one is a PITA when you want to quickly look at something and it takes a few seconds to enter your pin/swipe your pattern/scan your face.
No, TouchID is not perfect, and Apple treats fingerprints as lower security than passcodes or PINs (hence the requirement to use a PIN after 48 hours, or on a reboot). But if it brings up the PIN code usage from 10% to 60% or more, that's a net benefit to security.
120 V into the NIC does very little. NIC's are transformer coupled and the transformers couple very little low frequency. Most NIC magnetics provide about 1,500 Volts isolation. This provides protection from lightning induced surges. If you apply 120V on one pair of wires in the NIC, you simply burn out the transformer, but the power does not cross any further.
Caveot, POE has some DC coupling and could be damaged by excessive voltage. Most PC NIC's do not have POE.
The truth shall set you free!
When will they be selling them on Thinkgeek?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
A squirt gun with salt water in it.
Shoot the USB port and the computer will have problems.
WTF would someone spend time making something like this?
Are they trying to sell voltage protectors for USB ports?
Except this isn't a small usb stick. Watch the video closely.
There are wires coming out the back of the usb stick that go to the big transformer to the right.
Not something you're just going to pocket, and too big to be subtle.
*raises hand slowly*
"So long and thanks for all the fish."
"Alot" is not a word. Do you type afew? Alittle? Abunch? No? Then why would 'alot' be a word?
Slight variation, some bored kids were always hanging down the park just up the street. One of my friends decides to test a theory and pick up rocks whenever he finds them and leave in the park near where the kids hangout. After a few weeks the pile of rocks grows bigger until one day the building next door ended up with smashed windows.
Theory proven.
This.
IF I lose my phone, or if it gets stolen very little information of interest to a common thief is going to be found.
Oh, they'll get all my contacts and see a few text messages and they'll be able to use the phone until I do something about it.
losing my wallet or my keys (especially at the same time) would be much more troublesome.
I already did this when playing with an arduino and stepper motors. Accidentally bridged the 12v motor power supply with the 5v usb rail and poof! computer rebooted and came back up without sound. turns out i'd release the magic smoke from the on board sound controller.
That's a question of who your opponent is. If you are worried about the police, don't use the fingerprint.
I can throw myself at the ground, and miss.
Funny, I keep anything I need to access quickly that isn't worth securing on my lock screen--that is to say, when locked my phone is an excellent clock and I can see if I want to bother checking now any messages since it displays the number and what service it came in through. I want to be able to let people see my lock screen, if nothing else because it has a picture of one of a cute hamster.
Anything else? Because I use my pattern so often I don't even need to wake up, and I don't need to unlock my phone to answer calls--if my phone gets lost I want to be able to call it, and if somebody's found it I want them able to answer! (You have to unlock the phone to actually call anyone.)
Has anyone ever implemented this in reverse,ie.: modified a USB port to kill unauthorised devices? I am currently sketching up a design for doing so on a ThinkPad but would love some input on the electrical side.
Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.