'USB Killer 2.0' Shows That Most USB-Enabled Devices Are Vulnerable To Power Surge Attacks

Page 2 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Status
Not open for further replies.

The first thing that should make contact with a properly designed USB socket and plug is the shield - pretty hard to avoid when the shield is what helps you line up the plug with the connector. If there is any ESD to discharge, that's where and when it should normally happen. I have never cared about ESD when handling USB devices, I have zapped my ports with static from shield to shield many times (my computer desk is on a synthetic fiber rug and I wear rubber sole slippers) and I have yet to kill any USB device or port.

If you somehow manage to insert the USB connector inside the plug without discharging ESD through the shields, the next contacts to close together are power and ground which typically have very high ESD tolerance, so I would not worry about those either.

I don't worry about ESD for just about any other external cable either since all of the standards that I am aware of are designed such that the shield always makes contact first under normal circumstances.
 
usb ports are everywhere not just pc's. most every computer controlling device has a usb port to upload/change data. atm's, gas pumps, cash registers and just about anything else you that has a computer in it has a usb port for access.

however i don't think this is a serious threat, seems like the company is trying to create the market for its product more than anything. sell the device and then a way to check if you are vulnerable. fear mongering at its best going on here.

anything is possible but i don't see many people paying $50 for a device they have to physically be present to use just to mess up a device. especially public places with all the cameras. would not be very hard to catch people trying to sabotage public pc's or other devices. people are spinless wonders and prefer to do their bad stuff under the relative anonymity of the internet.
 
I seem to recall a friend telling me when he plugged a metal-bodied USB stick into a PC. He was holding it at an angle, relative to the port, and a spark jumped to one of the connector pins, rather than to the shield. I don't remember whether it fried his whole board or just the port.

You're right that the shield is usually a good solution. I'm just very sensitized from the bad old days. The worst thing about ESD is that it can damage without completely disabling, depending on what you zap, how, and with how much voltage. Yet another potential source of system instability.
 
Some random thoughts about the headline and the article:

"Most people vulnerable to damage if hit by car". I mean, duh?!

"USB Type-C Authentication" this only helps if the device a) depends on external power, or b) the port is not backwards device compatible. I mean, I'm pretty sure the port will give 5V at up to 500mA to a 'legacy' device...? So in other words, all it takes is an external power-source for this little plug-in device, and poof.

"optocouplers would fix this" No, optocouplers just up the ante in the arms race. Why stop at 200V? Enlarge (and epoxy pot) the device enclosure, and its trivial to go up to even 20kVDC. (http://www.picoelectronics.com/node/69107 for example, at -10kV, or http://www.emcohighvoltage.com/proportional-power-supply.php for example).

Also, this is all just bull-crap anyway, in the sense that if someone wants to fry a computer like this, there are many other ingress points (audio jack on front or back, legacy ps2 on back, serial port on back, pretty much any connector off the motherboard is susceptible I would think, or is the USB port special in some way as to where it is routed (direct link to CPU for some USB ports?)??
 


...so basically you lock your front door when you leave and change the default admin and password on your wi-fi router? 😉
 

You won't be able to go much beyond 1kV before your outputs arcs to the ground polygon around the trace, spark gaps to ground built into the board, to the power/ground pins inside the USB connector or the USB shield itself.
 
Basically, "consumers, your technology companies are exploiting you and leaving you vulnerable by not protecting your hardware from very high voltages being supplied by malicious USB sticks (for which we are the major supplier) into components that were never meant to handle such circumstances. Also, in order for someone to use these devices (which, again, we are supplying), they clearly already need physical access to the hardware being damaged, so they don't need the malicious USB sticks to cause irreparable damage anyway, but come on, give us money and acknowledgement"

Seriously, you can only protect these little ports and their tiny little pins from very high voltages and/or currents so much. Sure, we can isolate the computer (or any other device) well enough that the rest of the computer isn't at risk from something that only uses as much wattage as the USB slot can provide, but the ports themselves can still be rendered useless. What good is a phone you can't charge because the USB plug is fried? What good is a desktop with no USB in/out? Laptops may still have their integrated in/out, but that only goes so far, especially when there's no more connectivity beyond WiFi. Besides that, if someone has physical access to your device, this is far from the most efficient way to destroy said device. Blunt force is about $50 cheaper and no less effective when applied properly. Consumers are at little risk from this.

Public machines may be at more risk since plugging a a USB stick is slightly more subtle for a school's or Walmart's security cameras than bringing out a sledge hammer, but even that's a bit of a stretch. Regardless, I'm with InvalidError in that optical data transmission would be a much more effective and practical solution for those who are still concerned, granted that's probably still quite a few years away while this company is apparently doing its best to bring the danger out today while people can still be exploited over it.
 


I read the article. Are you referring to the part of the article where it talks about testers??

"Device manufacturers can buy the "USB Killer Test Shield" to test their products against this type of attack. The device mimics the output functionality of the USB Killer 2.0 device without frying the host. The USB Killer 2.0 can be purchased for $49.95 USD, while the Test Shield can be had for $13.95 USD (free shipping and 50 percent discount for the Test Shield if you buy the two together)."

Quite different from what I was looking for.
 
The USB Protection Shield is a device designed to allow testing of the USB Killer while protecting the host machine. Users can safely connect the shield device and test the USB Killer's output functionality.
Click to expand...
So, it allows you to test the Killer, without frying your PC. The point of the Killer is for testing your device. You can't test your device without potentially killing it.

So, I think the shield is exactly a USB surge protector.

Then, what did you mean?
 
How about adding a transient-voltage-suppression (TVS) diode? At -200V nothing fancy would really be required. Zener safe than sorry.

Also, I seriously doubt this would do much damage to a computer besides destroying that USB port
 
From the article: "Device manufacturers can buy the "USB Killer Test Shield" to test their products against this type of attack. The device mimics the output functionality of the USB Killer 2.0 device without frying the host."

That's what I was going by, the TH article I was commenting on. Apparently this is not correct. The quote you gave did not look familiar... However, upon looking at the manufacturer's site, I found what you were quoting. Even so, the test shield isn't exactly what I was looking for either. Watch this video.

https://www.youtube.com/watch?v=MW1mk68YdJM

Yeah, I'd really like something with a breaker... and no exposed wires. I guess I could build one. But even then, it still doesn't do quite what I want. Seems like it lets it draw power but shunts anything it tries to feed back through the data lines. Yes, it tests to see if the system is vulnerable. Yes, it stops this exact Killer unit from working. What about something that acts as a USB drive and only fries your system when you access the files for a certain amount of time? Or waits for some other event? The test shield wouldn't make any sparks fly in that kind of scenario. So you could determine it is "safe" and then hook it to the machine to examine the contents. Boom. I would want something that allows normal devices to work normally. A true surge protector.

I did find this but it's already outdated (USB 2.0!) and I don't have a Killer USB to test it with.

http://www.l-com.com/usb-usb-surge-protector-type-a-type-a-panel-mount-style-with-pigtail-cable-12
 
Do you know the shield doesn't connect any data lines, or are you just assuming it doesn't?

I assumed it is the surge protector you described, but I can't say I have any proof of this fact.
 
INVALIDERROR photo optical totally defeats being able to charge the device, go back tot he drawing board. also we already have photo optical data ports, not enough people use it and it doesn't charge devices maybe you should go research optical digital ports and read some intel/apple product brochures on thunderbolt/lightining/lightpeak ports.
 

It doesn't if you have fiber for data and copper for power only. Protecting high speed data lines from every electrical fault possible is much more difficult due to the requirement to maintain signal integrity than protecting power lines.
 
seam there is already some protection on they, If some one nice would exchange your usb with this one
https://www.indiegogo.com/projects/usb-port-protector-technology#/
 
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom