The USB Kill Stick, Priced at $56, Is Designed To Destroy Laptops, PCs, TVs

There's a new USB Kill device in the market today which can destroy any device it touches. ZDNet reports: For just a few bucks, you can pick up a USB stick that destroys almost anything that it's plugged into. Laptops, PCs, televisions, photo booths -- you name it. Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester's repertoire of tools and hacks, says the Hong Kong-based company that developed it. It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in a matter of seconds. On unprotected equipment, the device's makers say it will "instantly and permanently disable unprotected hardware." You might be forgiven for thinking, "Well, why exactly?" The lesson here is simple enough. If a device has an exposed USB port -- such as a copy machine or even an airline entertainment system -- it can be used and abused, not just by a hacker or malicious actor, but also electrical attacks.

So?

[Hizonner]

Whoopee. I can hit it with a hammer for free, or plug it into the power line for a couple of bucks.

Re:So?

[110010001000]

Argh, I was going to sell them my hammer for $55! Stop undercutting my price!

Re:So?

[Spy+Handler]

If you put a hammer inside a box marked "Newegg" and send it to someone, upon opening the box he will most like *not* use it to destroy his computer.

But if you do the same thing with a USB stick zapper, there's a pretty good chance that he will stick it in his computer and end up with a fried computer.

Re:So?

It would be a terrible shame if law enforcement personnel were to illegally confiscate and subsequently attempt to read the contents of USB devices which immediately destroyed whatever they were plugged into. It really would be a shame. -PCP

Re:So?

[Miamicanes]

Unless the USB hub is optoisolated, that might not be good enough.

Re:So?

[Hizonner]

Something that's smashed will probably have to be replaced even if it still works, and it's easy to assess whether you've stopped it from working. And "any idiot" is more likely to fry the USB port with that thing than to put the whole machine out of commission. They are VERY UNLIKELY to kill the contents of the hard drive, if that's what you mean by "be recoverable".

As for the wall, my power line still works, and so do lots of other things, even if it's on the end of a long cable. The piezo igniter from a $5 barbecue lighter, say. The piezo can also be quiet and inconspicuous if that's what you want, it has higher voltage and very possibly more current. Still unlikely to make the data unrecoverable, though.

Anyway, most devices are not behind walls, and if you ARE putting it behind a wall, you SHOULD be protecting the USB port from this sort of obvious electrical attack.

The point is that damaging things is easy. I could pop parts off a lot of motherboards by putting the intact devices over my knee. On a more robust device, if you have access to a cooling vent and the thing is turned on, you can go ahead and pee in it, and you'll probably do worse harm than you'd do with that thing. Or dump a bit of salt in your orange juice and dump that in. It's plausibly deniable; you don't have a dedicated destructive device to dispose of.

I'm just not seeing very many plausible situations where that device would be a go-to choice for a vandal.

Re:So?

[Hizonner]

I already have a hammer. Sunk cost.

Re:So?

[Hotawa+Hawk-eye]

Picture what would happen if on Election Day someone were to plug one of these into an electronic voting machine on which the election officials had accidentally left the USB port exposed. Fry the machine, quickly pocket the stick, call election officials over (or just walk away) and you've slowed voting at that polling place by reducing the number of machines, potentially forcing them to switch to paper ballots. Election officials might question why you're carrying a hammer with you into the voting booth; they're unlikely to ask you to turn out your pockets so they can inspect any USB drives you may be carrying, and a USB drive is easier to hide than a hammer.

Re:So?

[phantomfive]

The Ethernet Killer is probably worth mentioning, too.

Re:So?

I'm sure if you explain to the police not to take your stuff and plug it in because it would destroy their equipment, they'd still plug it in anyway and have no one to blame but themselves, legally.

But of course that doesn't stop them from just killing you in retaliation. They know they can get away with murder. In fact they're apparently rewarded for it with big chunks of paid time off, and no criminal charges.

Re:So?

[WolfgangVL]

Wait, full stop. Your saying when my shit is confiscated and used against my wishes in an un-intended application by an uninformed outside operator (read: not me) I am somehow liable when this not me person uses it wrong and asses up his own gear? What about my right to remain silent? What if its labeled PERSONAL?

What if I straight up TELL the border control agent -
"This thumbdrive is dangerous and will kill his computer, do not attempt to view the contents?"

This is a real honest question. No snark.

I love the idea of a nasty little red herring hiding in my personal private papers and effects.

Re:So?

[Kohath]

Give it to Customs Enforcement when they demand access to your data. Or include it in the box when your records are subpoenaed.

Re: So?

[cheater512]

Fuses work for high current. Not high voltage. That's why multimeter protection circuitry is so complicated.

Fuses are also cheap. Mov's and spark gaps aren't so much.

Re:So?

[rtb61]

Almost but not quite there. Just mark all your USB drives "DANGER! Do Not Use - Will kill Computers!" and just keep track of the one that will and don't use it.

Re:So?

[WolfgangVL]

You're being an overthinking idiot. If you have a bomb that looks like a brick, and hand it to a guard and say that it's a bomb, you're going to be charged with whatever destruction the bomb does, not get cool props for handing over something that looks like a brick.

But that's not what happens in my fiction. I've not handed anything over. Somebody has decided they have the authority to take it from me, and use it against my wishes, while ignoring my warnings. This piece of tech is not illegal to posses.. and its also not a bomb.

I'll try a new, more fun fiction, and roll in a car analogy cuz slashdot-

      Hillary has modified her Mazda to go from 0-60 in 3 seconds, and to have non-functioning breaks. She did this for the purpose of auto crash research relating to older model seat-belts. She has her papers in order and has paid for all of the appropriate bribes, fees, and licenses.
There is nothing wrong with this as long as she keeps off the public roadways and conducts her research in a controlled lab environment. Her license and fees paid says so.
While transporting her crash-dummy-death-machine on an approved and licensed trailer, it is "civilly forfeited"
She tells her assailant that it is not safe to drive, but he speeds away down the road.... right into a burning Tesla, a BLM protest, and Trumps motorcade

These events have been completely out of her control, and she's even tried to warn them off. Is she still liable?

Re:So?

[AmiMoJo]

I've been thinking about ways to make a self destructing USB flash drive for a while. Law enforcement always uses a dongle to block writes to the drive while they make a forensic image. Seems like you could program the drive controller to detect that (say more than 1MB read with no writes after power up, normally Windows will try to update the last access date) and self erase.

As the saying goes...

[Hognoxious]

If you have physical access to the device, you can beat the fucking shit out of it with a rock.

Re:As the saying goes...

[MobyDisk]

Yes, but this only requires physical access to another person who has physical access.

As a kid, I always joked about making a "deaths head disk" which would be a floppy disk that would go up in smoke. You would put 1/2 of a flammable chemical combination on the inner rings of the spinning disk, and the other 1/2 on the outside rings. When the drive spins the disk, the chemicals mix, producing *boom*.

Re:As the saying goes...

[Hans+Lehmann]

He's talking about a floppy disk. Yes the heads touch the disk.

Re:As the saying goes...

[0100010001010011]

Sometimes you don't have physical access to a device but physical access to a person that does. Label this "Vegas Photos" and drop it in a parking lot.

Is it evil if...

[grilled-cheese]

Is it evil if I were to buy several of these, scratch the warning off, and leave them around the building/parking lot after a computer security meeting just to see who plugs it in first?

Re:Is it evil if...

[PRMan]

Label it "Porn Collection" and leave it on the ground in the parking lot...

Re:How is this different from any other form of...

[Obfuscant]

How is this different from any other form of vandalism?

It's not. It's not "security testing", it's not something an honest "security tester" will have in his "toolbox". It's vandalism and destructive behaviour pretending to be respectable activity.

How DARE anyone expose a USB port where something can be plugged in for some legitimate purpose? Those money grubbing airlines who are putting USB charging ports on their seat-back systems so you can power your mobile device while on a four hour flight -- how DARE they! And those charging ports that are starting to show up in the waiting areas for those flights? They deserve to be taught a lesson. Kill anything with a USB port on it. It's "security testing" to see if they can survive. Who cares if the service they were providing goes away?

"Because I can" is not an excuse for destroying other people's property. "TV-B-Gone" is an annoyance; destroying someone's $1000 laptop because they fell asleep next to you on the airplane while it was running and it happened to have an open USB port is pathetic. There is no legitimate purpose for this thing. If you need ESD testing for your own hardware designs, use the appropriate tool. ESD testing other people's stuff is, and should be, criminal.

Less malign devices

[phorm]

I wonder what other fun things you could do with a USB-charged capacitor, preferable things that don't cause actual damage.
How about a tiny speaker that plays in a loop
  "This idiot just plugged in a hacked USB device!"

Re:Fairy dust and unicorn dreams.

[rahvin112]

Didn't see the You-tube video of the concept version of this being demoed on a laptop did you? Fried the screen and board in the first pulse and took out the power system and everything else with the second (each pulse takes about a second to charge and release). These things are not pushing a 10V signal on a 5V line, they are pumping a 230V charge into the port with magnitudes more amperage than static electricity, the simple over-voltage protections on current USB ports can't protect against this.

A real solution to a device like this will require a far more robust design on the over-volt protection on the ports. Something that can resist 200V+.

Re:Turnabout is fair play

[MobyDisk]

Ahh, but I could make a USB kill stick that kills USB ports that kill 'kill sticks.' It would protect the data lines, sense the way-too-high voltage coming in on said lines, and counter it with a power source having *bigger* voltage and substantial current capacity.

Re:Properly designed

[Miamicanes]

And clamping diodes & fuses pretty much eliminate any possibility of ultra-ultra-ultra high-speed serial ports, so kiss Thunderbolt, USB 3, and everything else goodbye. And probably wouldn't help much, anyway, since everything downstream from the port will likely be fried by the time the fuse finally melts & opens the circuit back up. If, by some miracle, a MOV wouldn't screw up gigabits-per-second-per-balanced-pair data transmission, most users are STILL looking at what's effectively a total loss because those MOVs rarely are easily-replaceable without at least intermediate-level electronics skills.

Re:Turnabout is fair play

[OrangeTide]

what if my USB port detects kill sticks and sprays you with pepper spray and calls the police?

This is why we can't have nice things.

[jellomizer]

Because there is always some asshole who feels the need to break stuff.
These public USB Power ports were set up as a convenience for the public and the customers, so that Doctor can have his phone charged so he doesn't miss that life saving call. They are giving us free energy to power our mobile devices. The TVs to entertain us, while we are stuck waiting. But no there has to be some jerk who needs to find a way to break it. We can't have an infrastructure for new technology now, just because it can be broke.

Now this device is just for bad people to do bad things, there is no good in it. It isn't even good enough for properly destroying technology as for the most part it will probably just damage the USB interface card and not reliably break the rest of the system.

Re:This is why we can't have nice things.

[gTsiros]

welcome to greece and other underdeveloped (mentally and socially) countries, where you can't have any conveniences because there are too many assholes that break stuff just because it's there (wouldn't that make them psychotics? There must be a DSM-V designation for people who have a habit to damage public property.) and too few people who are willing to step up to them.

Re:This is why we can't have nice things.

[Gussington]

A doctor is traveling the battery on is phone is getting low while waiting for the connecting flight he wants to charge up his phone. But no... Some idiot decided to fry the USB charging station because it makes him feel like a big man. So the phone dies.

What imaginary universe are you living in that someone's life is dependent on only one doctor who happens to be at an airport with a low battery, and no wall charger, only a USB cable hoping the few USB are not in use or broken, and who can save a life with just a phone conversation that no other doctor could give? Seriously, you think this is how medicine works?

There's nothing like inventing unrealistic use cases so you can get angry about it...

Re:Ugh, Sometimes I hate people

[harrkev]

As an EE, I have some experience with this. I really do digital logic chip design, and leave the design of the IO pins to the analog guys (and I am NOT an analog guy)...

However, pins are designed to dissipate excess charge using the "human body model." The specification is charging a small capacitor to a few thousand volts and dissipating that into a pin. Since the capacitance is small, the total amperage is very small. There are zener diodes built into IO pads that can handle this small amount of current. An ESD event will only last for the barest fraction of a second. Now, if you actually intentionally put too much voltage across pins for a prolonged period of time, I can easily imagine those zener diodes dying. Once that happens, the voltage will start to play merry hell with the logic.

I also did some government (military) work a decade ago. With those systems, you generally hardened them against EMP pulses (don't want a nuke taking down your electronics), so we used something called "transorbs.". Basically, these are big, beefy external zener diodes that can clamp this type of event. HOWEVER, from what I recall, those diodes put too much capacitance on the line, which would do very bad things to high-speed data lines, such as the ones found in USB data lines. Transorbs are great for things like low-speed serial port lines (which explains standards like MIL-STD-1553. I do not know if transorbs have improved much (not done that sort of thing for 10 years), but these are the types of problems you have to face when dealing with something like this -- the devices needed to protect your USB ports might just make your USB ports unusable.

technical specs

[thygate]

"-200VDC is discharged over the data lines of the host device." is all it says, but the charge will be tiny, i find it doubtful that this will do anything beyond maybe fry the usb controller or possibly some diodes.

Re:Fairy dust and unicorn dreams.

[SuricouRaven]

Yes, all VLSI chips have diodes on every single output pin. Except the really, really high-frequency pins. But these diodes are tiny and delicate things. They provide only a moderate level of protection.

slot machines with usb changing ports

[Joe_Dragon]

slot machines with usb changing ports seems like a like some may want to destroy after losing big. I do hope they have there own power source.

Re:slot machines with usb changing ports

[Fnord666]

slot machines with usb changing ports seems like a like some may want to destroy after losing big. I do hope they have there own power source.

Because vandalizing a slot machine worth enough money to make it a significant felony in one of the most surveiled places in the world where it will be immediately obvious is a great idea.

Re:Ugh, Sometimes I hate people

[thegarbz]

Without knowing the details of the device hard to say if current standards are enough protection

Enough protection for what? The USB standard provides basic requirements to ensure compatibility between the devices and with a standard use case. e.g. Requirements around voltages and currents into and out of the socket. The design of the plug and socket includes a grounded outer shell to prevent static discharge from the body hitting the datalines when touched. There's a whole chapter in the standard on current limiting, and most reference implementations of USB controllers now provide polyfuses as downstream devices clearly don't obey the USB standard very well (e.g. Hubs feeding +5V into the upstream port).

Now the key thing here is that there's almost nothing you can do to protect the USB socket against this attack in a way that is re-settable. This little device is designed specifically to kill polyfuses and protection diodes by applying -100V pulses to the data lines repeatedly until even the best of these protection circuits will break down.

It's an incredibly targeted attack and not something you can fix by massaging the standard.