'USB Killer 2.0' Shows That Most USB-Enabled Devices Are Vulnerable To Power Surge Attacks

[Lucian Armasu]

USBKill.com publicly launches its "USB Killer 2.0" to show that most computing devices with USB ports are still vulnerable to power surge attacks. The company also made a "Test Shield" available, which allows device makers to test their devices safely.

'USB Killer 2.0' Shows That Most USB-Enabled Devices Are Vulnerable To Power Surge Attacks : Read more

 

[ryguybuddy]

Wow! This might be a espionage tool someday....but I doubt it. Its more about cyber-attacks these days. Still cool though!

 

[InvalidError]

Wow! This might be a espionage tool someday....

You aren't going to be much 'espionage' by frying USB ports and computer chipsets.

Using photo-couplers to prevent surges from destroying electric transceiver and chipsets at the end of the data line could prove difficult on USB3.x and other high-speed interfaces that require much faster and more expensive devices. While putting photo-isolators everywhere may prevent the attacker from casually frying the PC, that won't stop him from frying every isolator on your PC and still rendering your PC unusable unless your motherboard has user-replaceable isolators.

The simplest and most foolproof way to completely eliminate voltage injection issues would be to have an optical USB and PCIe spec for external devices.

The same "attack" would most likely work through most other external electrical connections as well. Even those with ESD protection networks will still fail if the "attack" provides enough current to blow the protections out.

 

[turkey3_scratch]

So, if someone has to physically put this USB into the computer to fry it, just don't let that person do it. People who do malicious stuff like this like to do it over the Internet, but in person, they will fail to decimate the machine.

 

[razor512]

The goal is, you build one and place it in a normal looking USB flash drive enclosure, and then you leave it in a location where flash drives are commonly stolen.

 

[turkey3_scratch]

The goal is, you build one and place it in a normal looking USB flash drive enclosure, and then you leave it in a location where flash drives are commonly stolen.

Well, people shouldn't steal. So in a way it's almost like their punishment.

 

[InvalidError]

Well, people shouldn't steal. So in a way it's almost like their punishment.

You find a USB drive lying on the ground or anywhere else where you are unlikely to find the owner and pick it up. Is that stealing? You end up with a dead computer or other gadget either way.

 

[turkey3_scratch]

Well, people shouldn't steal. So in a way it's almost like their punishment.

You find a USB drive lying on the ground or anywhere else where you are unlikely to find the owner and pick it up. Is that stealing? You end up with a dead computer or other gadget either way.

What dude is going to leave computer-destroying USB drives on the ground? That's just wasting money and they're not getting anything out of it.

 

[InvalidError]

What dude is going to leave computer-destroying USB drives on the ground? That's just wasting money and they're not getting anything out of it.

If you hate your boss, your ex, your neighbor, you may be tempted to 'accidentally' drop one in an area where (s)he's likely to be the first one to find it.

Some people don't mind collateral damage and wasting money to get some satisfaction.

 

[turkey3_scratch]

What dude is going to leave computer-destroying USB drives on the ground? That's just wasting money and they're not getting anything out of it.

If you hate your boss, your ex, your neighbor, you may be tempted to 'accidentally' drop one in an area where (s)he's likely to be the first one to find it.

Some people don't mind collateral damage and wasting money to get some satisfaction.

Ehh, I don't know. I took a criminology course, and the primary thing they wanted to get into our brains is that criminals don't plan out elaborate things like that. Of course there are rare occasions where crime is planned, but I don't possibly see this USB thing becoming a relevant issue where motherboard manufacturers need to become concerned. People should be much more concerned about the dangerous PSUs out there and regulating that stuff out of the market but this little USB thing seems to get more attention.

I think of this USB thing as a bomb. You can blow up your computer, literally. Just as you can put that USB in and kill it. Sure, you might not know the USB is a bomb, but I still see this being an extremely rare scenario, extremely rare.

But the number of PSUs out there killing hardware vs the number of USB sticks killing hardware is probably in a 100,000:1 ratio.

 

[InvalidError]

Ehh, I don't know. I took a criminology course, and the primary thing they wanted to get into our brains is that criminals don't plan out elaborate things like that.

Tell that to the guy who used a calendar watch as the trigger for a bomb he put in his neighbor's basement under the dining room to blow his house up several months after the fact. IIRC, he failed to kill them because the watch drifted by several minutes and missed dinner time.

Some criminals do come up with sophisticated schemes.

 

[alextheblue]

The simplest and most foolproof way to completely eliminate voltage injection issues would be to have an optical USB and PCIe spec for external devices.

So for power delivery you propose they use an external cable connected to an external power block? Cause that would be useless as flock. If you deliver power over the cable... you're back to square one and the article still applies to devices that are unguarded.

What someone should do is release an affordable external USB surge protector capable of dealing with "attacks" like this - for handling devices of unknown origin. Then you don't have to worry about cooking any protection circuitry on the device itself. Doesn't prevent direct sabotage but if they have access to your device while you're not around they could just as easily spill water over it and whack it with a brick.

 

[turkey3_scratch]

Ehh, I don't know. I took a criminology course, and the primary thing they wanted to get into our brains is that criminals don't plan out elaborate things like that.

Tell that to the guy who used a calendar watch as the trigger for a bomb he put in his neighbor's basement under the dining room to blow his house up several months after the fact. IIRC, he failed to kill them because the watch drifted by several minutes and missed dinner time.

Some criminals do come up with sophisticated schemes.

That's what I said, it's rare for it to happen, and not a reason to make the whole motherboard industry go nuts.

 

[targetdrone]

I'm more worried about a poorly manufactured USB-C to USB-A adapter/cables frying a computer or charger than a deliberate attack on my computer, which BTW has better physical security compare to the private computers of some government officials.

 

[targetdrone]

Well, people shouldn't steal. So in a way it's almost like their punishment.

You find a USB drive lying on the ground or anywhere else where you are unlikely to find the owner and pick it up. Is that stealing? You end up with a dead computer or other gadget either way.

What dude is going to leave computer-destroying USB drives on the ground? That's just wasting money and they're not getting anything out of it.

Mossad agents working in an Iranian nuclear facility.

 

[cryoburner]

The Hong Kong company, which prefers to be referenced as USBLamers.com to English speakers, also noted that other device makers had one year of warnings that such power surge attacks were possible, and that so far it has acted according to responsible disclosure best practices.

This is complete BS. They expect one year to be enough time for everyone to replace all existing motherboards and other devices with a USB port made in the last 20 years? Obviously that would be complete nonsense. Even if manufacturers were to have addressed the non-issue within that short period of time, people aren't going to instantly replace all their USB-enabled devices due to the extremely rare possibility that someone might use something like this on them.

All this company is interested in is selling devices that create their own problem. The devices make it possible for someone to discretely damage equipment, whether in kiosks, computer labs, stores or wherever, without any technical knowledge. And really, it fails as a testing device. Even if a manufacturer were to test their products to withstand this device's 200 volt surge, what happens next year when "USB Killer 3.0" comes out, and provides a 2000 volt surge? Or maybe a device that surges an SD card slot or headphone jack? With an onboard battery, it wouldn't even even need to get its power from the port in question. Defending against something like this is a bit like defending against someone taking a hammer to your devices.

 

[atheus]

This whole thing seems intensely stupid to me. Destroying a computer you have physical access to does not require a USB device. Try a hammer. Has anyone sent out a notice indicating that if you stick the stripped wires of an AC power cable into your USB port that it will fry your motherboard? What about water or various acids? Perhaps there is money to be made off of a computer-killing squirt gun filled with soda water!

 

[Zaxx420]

That thing could cause serious injury...to the user if he fried one of my toys. Nasty lil piece of work to be sure. Obviously it'd fry the usb controller/chipset...wonder about the CPU, RAM etc....

 

[JQB45]

Waste of time, you get none of the yummy data on the device for your efforts.

My friend mentioned the Surface Pro 2/3 can handle a surge. I have not confirmed this, he is my only source.

How about design a USB device to hold data that should be kept secret. If its plugged into an unknown host it sends 1000's of volts of electricity to the unknown host. Perhaps you could disable the electrocuting shock with a password you enter into the USB stick before inserting it into a host? Imagine a set of 4 buttons that must be tapped 16 times in the correct order to render the device safe.

 

[Larry Litmanen]

I see losers doing this in college computer liblary or local Best Buy. Just destroying a PC after a PC.

Or of course an unhappy employee.

 

[InvalidError]

Imagine a set of 4 buttons that must be tapped 16 times in the correct order to render the device safe.

Imagine frying your PC because you entered the wrong password by accident or forgot to unlock the drive before plugging it in. It would make more sense to fry the storage device itself after a set number of authentication failures. A simple way to destroy data is to encrypt a device and erase the encryption key - as secure as a full-drive secure-erase at negligible cost and effort.

 

[bit_user]

Ehh, I don't know. I took a criminology course, and the primary thing they wanted to get into our brains is that criminals don't plan out elaborate things like that. Of course there are rare occasions where crime is planned, but I don't possibly see this USB thing becoming a relevant issue where motherboard manufacturers need to become concerned.

The concern that IE is painting is that this could be used by a disgruntled worker/ex-lover/etc. or perhaps as a failsafe to cover tracks or buy time in some espionage situation. This isn't a likely tool for dumb crooks.

In practical terms, I think the manufacturer is playing up the threat to help sell their hardware. I don't expect the majority of consumer devices to add protection, since it would add cost and the risk is so small.

I do worry about the level of ESD protection on USB ports, but I try to ground myself before touching the device & haven't fried a USB port yet.

 

[bit_user]

BTW, thanks to Lucian for the SyncStop link. I had the idea for something like that, when BadUSB was announced. I looked for it, a few times, but this hadn't caught my attention. I will actually buy one, because a lot of USB drives get passed around at work (we need them to move data between machines that are on isolated networks, for testing purposes).

That thing could cause serious injury...to the user if he fried one of my toys. Nasty lil piece of work to be sure. Obviously it'd fry the usb controller/chipset...wonder about the CPU, RAM etc....

Yeah, one wonders how much of a car's electronics it could fry, now that many cars have USB ports.

I'd rate the risk as low, because my limited understanding is that cars have discrete components which are networked together. So, you might fry the audio, but there'd be enough electrical isolation between it and the critical realtime control systems that they wouldn't suffer collateral damage.

 

[bit_user]

What someone should do is release an affordable external USB surge protector capable of dealing with "attacks" like this - for handling devices of unknown origin.

The article says the maker of the USB Killer 2.0 is also selling USB Shields.

Absolutely noooo conflict of interest, there. Perhaps they also make or have some stake in component manufacturers that make protected USB port components.

 

[turkey3_scratch]

Ehh, I don't know. I took a criminology course, and the primary thing they wanted to get into our brains is that criminals don't plan out elaborate things like that. Of course there are rare occasions where crime is planned, but I don't possibly see this USB thing becoming a relevant issue where motherboard manufacturers need to become concerned.

The concern that IE is painting is that this could be used by a disgruntled worker/ex-lover/etc. or perhaps as a failsafe to cover tracks or buy time in some espionage situation. This isn't a likely tool for dumb crooks.

In practical terms, I think the manufacturer is playing up the threat to help sell their hardware. I don't expect the majority of consumer devices to add protection, since it would add cost and the risk is so small.

I do worry about the level of ESD protection on USB ports, but I try to ground myself before touching the device & haven't fried a USB port yet.

Hmm 3 of my USB ports are actually fried (erratic behavior, power cuts in and out).