Slashdot Mirror
USB Killer 2.0: a Harmless-Looking USB Stick That Destroys Computers
An anonymous reader writes: Plugging in random USB sticks in your computer has never been more dangerous, as a researcher who goes by the name Dark Purple has demonstrated his new device: USB Killer 2.0. When plugged into a computer, the deadly USB draws power from the device itself. With the help of a voltage converter the device's capacitors are charged to 220V, and it releases a negative electric surge into the USB port. This surge "fries" the USB port and, in the researcher's demonstration, the motherboard — perhaps not always after the first surge, but the malicious USB device repeats the process until no more power can be drawn.
If you have local access to the PC you could just use a sledgehammer. The old 120V into the network port almost always fries the NIC as well. The fact that someone with physical access can damage your PC shouldn't be a big surprise.
"I have never let my schooling interfere with my education." - Mark Twain
Uh, no, it doesn't. You just drop a few of these in the parking lot outside a company, and wait for people to pick them up and stick them in their PC.
Instead, the concern is that someone (like say Uber) will print up 300 USB Killers, perhaps with a label that says something like "best porn", and scatter them around the competition's headquarters (like say Lyft - or vice versa).
Then some curious Vice President or CEO picks them up and puts them in his computer...
Found USB sticks - the poor man's 'super hack'.
excitingthingstodo.blogspot.com
>> someone with physical access can damage your PC
This isn't a local access attack, though. Instead, you label your attacking USB stick with your target company's name and leave it in the parking lot or at a restaurant where you know a lot of your target's employees visit. Some foolish altruist will frequently pick it up and shove it into their computer when they get back to the office. This kind of thing works great for infecting someone's computer with command-and-control malware; if anything this "wreck the computer" attack seems less useful.
Bonus points if it has some legitmate function before it's ready to strike: 802.11n adapter, etc.
Hypothetically of course ... Just make lots and lots of these. Get a Sharpie. Label each of them with things like TAX DOCUMENTS, ACCOUNT NUMBERS, and definitely lots of them labelled PORN COLLECTION. Drop them in hotels, restaurants, restrooms, subways, bus stops, just leave them all over town. Hilarity ensues!
For more bonus points, act shocked when you hear about the mysterious computer-killing USB drives. Say you don't believe anyone would do such a thing.
http://i.ebayimg.com/00/$(KGrH...
make lots and lots of these
Label each of them with things like TAX DOCUMENTS, ACCOUNT NUMBERS, and definitely lots of them labelled PORN COLLECTION
Drop them in hotels, restaurants, restrooms, subways, bus stops, just leave them all over town
Open a computer repair shop
Profit!!
If you believe that any unfamiliar USB stick looks "harmless", you clearly haven't been paying attention.
Uh, no, it doesn't. You just drop a few of these in the parking lot outside a company, and wait for people to pick them up and stick them in their PC.
And then fire their asses for being enough of a dumbfuck to use a USB stick they found in a parking lot.
Sledge hammers, axes, picks, power drills, reciprocating saws...
All relatively simple tools that accomplish the same thing if you are close enough to stick a thumb drive into a port.
No, you miss the point. You don't need access to anyone's computer.
YOU don't put the thumb dive into someone's computer. You just leave it somewhere and THEY put it into their computer.
Anti espionage: Just leave one around the office if you suspect the cleaning crew.
Russian roulette: Get 1 killer USB and five legits and a few friends... take turns plugging into your computers.
Search and seizure revenge: "I warned you".
What if I use a USB hub? Seeing as how I have only one USB port in this new-fangled era where apparently cables don't matter anymore...
Do not look into laser with remaining eye.
Plugging random things into your computer can damage it.
Be sure to watch our followup segment on what could be in that suspicious red can you found labeled "free gas!" The results are horrifying!
And companies are absolute shit at keeping stuff secret. When it becomes public that company A pulled this stunt, company A will be sued out of existence.
I'm a good cook. I'm a fantastic eater. - Steven Brust
Worked for Stuxnet and most other state sponsored cyber attacks. Just saying. We recently ran a "security awareness" month at the UNI I work for, giving away free flash keys to students who could show us their phone was secured at least with a password or pattern. They seemed surprised that no one bothered and most people told them they are too lazy to have to swype a pattern to unlock their phones. My suggestion was to custom build some pseudo malware, load it on those flash keys, or a set of flash keys, and leave them around campus. Nothing nefarious would happen to the user who did insert it other than an autorun popup informing them that we could have owned them right there if we wanted. The didn't go with my plan, I might still do it on my own. I'm nice like that, when I taught myself to crack into WEP and weak WPA access points that had the management page accessible over wifi and the default admin passwords set, I promptly change their SSID and passwords, letting them know they need to lock that shit down. I'm nice like that
The USB spec requires that auto-resetting overcurrent protection be provided but it doesn't require it to be specific to an individual port. So a shorted USB device can knock out several ports but is unlikely to bring down the whole computer (unless it's something like a raspberry pi).
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Wouldn't this be fraud? I mean you intentionally break a working device and then claim somebody else has to pay for a new and better one. I highly suspect you could end up in jail if you are caught doing a scam like that.
And hub is connected to the ... ankle bone?
My question is, why would someone want to do this in the first place? Yes, it's possible, but destroying someone's computer is generally not profitable to the attacker. It's much more valuable to take over a computer for a botnet, to steal information, or hold information hostage. So while this is possible, I don't see it ever becoming a real problem. The only situation I could see is in trying to hurt competition or good old fashioned revenge. I have to believe the oldest danger is still the most realistic: hidden viruses that are much less obvious.
People ask on forums that are full of context-experts, instead of reverting to Google/Bing/etc. results that are full of context-amateurs, because they don't want to waste their time becoming a context-expert themselves as they would need to do in order to effectively filter the Google/Bing/etc. results.
Note: if you can post a stupid statement to Slashdot, you should be able to reach your brain and extract the knowledge you have. If there is ever a rare network failure causing you to be able to type but not use your own brain, I would love to see the psychological case study of such an event.
Wow, admitting to felony fraud on a public forum while logged in. Great idea!
The stick could download crap from the network and send it out over the Internet first, then fry the computer when it's done to destroy any evidence.
My suggestion was to custom build some pseudo malware, load it on those flash keys, or a set of flash keys, and leave them around campus. Nothing nefarious would happen to the user who did insert it other than an autorun popup informing them that we could have owned them right there if we wanted.
Don't do it on your own. Don't do it with serious back up and written guarantee for support from higher ups. What you are doing is very similar to finding homes with unlatched/unlocked back porches, walking in sitting in the living room sofa and shouting boo when the home owners walk in. No matter how sensible and helpful your advice is, the homeowners are going to be jumpy, irritated, made to look like fools and they will hate you intensely.
Try to do it differently. Create these USB warning devices as you planned, but give them to students, tell them what it does and ask them to "educate" their friends and relatives. Watermark each device so that they don't prank unsuspecting people.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
It sure is but, as long as it was only a few devices, how would you get caught? You would have to do something moronic like post about it on a forum or something.
"I opened my eyes, and everything went dark again"
OverCURRENT, *NOT* overVOLTAGE.
This is a voltage-based attack. Imagine an ESD except it's deliberately fed into the system instead of accidentally conducted through minor plasma arcing.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
This thing might be more dangerous if plugged into one of those portable USB power supply battery packs. Not sure what would happen, but a fire is not out of the question.
And hub is connected to the ... ankle bone?
I tried that. The throughput was terrible. [ 0/10 do not recommend ]
It must have been something you assimilated. . . .
And, yet, it apparently works. As in people have done it before. And, if dropping them in the parking lot doesn't work, stamp a logo on them, put them in a package with official looking marketing glossy, and send them as targeted attacks.
See, the problem is the humans are always the weak links in your chain.
Of course, you can't target what machines might be impacted. But if the general plan is mayhem, that's always easy to achieve.
Lost at C:>. Found at C.
To make it more fair, put an "if found" text document in the root of the USB, then some other juicy folders ("passwords", "account information", etc) and set the thing to trigger the pulses only if those folders are accessed. Then you don't nail innocents who were just trying to find the owner of the stick, and the people who you actually are targeting will be more likely to keep the stick plugged in long enough for it to do its damage.
We had an office thief once. He would take anything and it didnt really matter the value. Shitty old drives, ram, a customers computer we were configuring and other random crap.
I simply connected every line to Vcc on an old IDE hard disk and put it inside of a desk. The person who owned the desk I told them what was going on.
Maybe two days later one of the technicians is complaining that his IDE controller no longer works. He would later admit to some drug problems and a predilection for theft.
Dead USB port, at most. And most (if not all) USB ports nowadays have self-resetting overcurrent protection so there would be no permanent damage.
Label them in large letters 'BACKUPS', and then in small letters underneath 'always make backups!'.
if anything this "wreck the computer" attack seems less useful.
Imagine that you're a CIO tasked with protecting data worth billions of dollars.
Drop a few of these in the parking lot or cafeteria, and write off a few $800 Dells to find and eliminate the employees who cannot be trained to not do stupid things that will severely damage the company.
I'd do it.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Someone left a sledgehammer lying in the parking lot. Cool, I thought. So I picked it up, went inside, then smashed my computer. Whoops, I was fooled.
if anything this "wreck the computer" attack seems less useful.
Imagine that you're a CIO tasked with protecting data worth billions of dollars.
Drop a few of these in the parking lot or cafeteria, and write off a few $800 Dells to find and eliminate the employees who cannot be trained to not do stupid things that will severely damage the company.
I'd do it.
Ya, watch the person you catch to be the CEO.
*raises hand slowly*
"So long and thanks for all the fish."