Back in September, many tech publications highlighted a killer stick: a USB stick marketed to pen testers and law enforcement that could be used to test the surge protection circuitry of electronics.
Test, or, as the case may be for devices lacking surge protection, zap to death.
The so-called USB Killer – which comes from a Hong Kong company – looks like a standard USB drive, but it’s actually filled with capacitors.
Once you plug it in, the USB Killer rapidly charges all those capacitors from the USB power supply. Then, once it’s full, it turns around and electro-vomits all that power back into the drive. It works in a fraction of a second, frying circuits in laptops, PC monitors, photo booths, kiosks, or even cars.
The charge/discharge cycle is repeated many times per second, until the USB Killer is removed, leaving about 95% of all devices partially or permanently damaged. According to Bleeping Computer, the only products that could withstand USB Killer 2.0 were recent MacBook models, since they optically isolate the data lines on USB ports.
Here’s one of many YouTube videos of the near-instant death throes of a sitting duck non-MacBook:
But wait, there’s more. It gets worse. Or better, depending on whether you’re a fryer or a fryee.
The company has released USB Killer Version 3 (PDF), and it’s deadlier than ever. The new kill stick has a higher voltage and amp output, and its pulse rate, which can ramp up to 12 times a second, is 3x higher than the previous version.
Plus, there’s this: Apple devices are now reportedly sitting ducks too. USBKiller.com is now shipping an adapter kit that allows users to zap devices via microUSB, USB-C, and (the proprietary Apple) Lightning ports on the iPhone 5/6/7. Beyond those iPhones, the adapter kit will also enable the murder of iPads, other phones, tablets, and digital cameras.
All of this mayhem, for so little cash: you can still pick up the latest version of USB Kill for €49.95, or about $54. The adapter kit goes for €14.99, or about $16.
If you’re not aware of these USB devices yet, now’s the time to learn. The story highlights how vulnerable our publicly available USB ports are.
But it’s also another reminder that we should never plug in mysterious USB drives we find kicking around… Or that pop up in our letterboxes, as was the case recently when cybercrooks in Australia tried to trick people into plugging them in and thereby downloading malware.
What makes the scenario even scarier is that USB Kill now comes in two flavors: its regular version, with the logo of a skull and crossbones, or an anonymous, discreet, unlabelled version.
All the better for pen testers who don’t want to call attention to their activities, according to the marketing – although it’s worth pointing out that the manufacturer makes it very clear that it “strongly condems malicious use of its products”.
Or to crooks who want to destroy our expensive gear without calling attention to the devices that do it.
Anonymous
Would a “USB Condom” that removes the data lines and only leaves the power lines (used to charge your devices from USB ports you don’t fully trust) also protect against these? Or would they still fry away?
Anonymous
Not sure what good that would be. You see an unidentified usb stick – you stick a condom on it, plug it in, and nothing happens because the data lines are blocked. It may or may not have been a usb killer. It may or may not have data, so now what do you do? The condom would only help when you KNOW that it’s a usb killer, yet you still want to stick it in?
Jeff
The FAQ page for the USB killer says “When plugged into a device, the USB Killer rapidly charges its capacitors from the USB power lines. When the device is charged, -200VDC is discharged over the data lines of the host device.” Assuming that’s correct, a USB Condom would protect the USB port provided that it could insulate a 200 volt pulse (if the insulation of the USB Condom broke down at 200 volts, it wouldn’t protect the data lines). However, if the USB killer actually dumps the 200 volts back on the power lines, or is changed int the future to dump to power (perhaps in addition to the data), there would be a risk to your computer/phone, etc., even though you were using the USB Condom, as the power lines may not handle 200 volts.
I also agree with the other reply — even if the USB Condom protected your PC (phone, etc.), there’s no value, unless you try to listen to the clicking sound and decide from that if the device is a USB killer or not. And trying to figure out if it’s a killer by listening to it seems like a risk in case it does (now or in the future) dump high voltage to the power lines. Better I think to practice safety and not plug in anything unknown or from an unknown source.
Johnkzin
Simple:
A) put a circuit breaker on all of the lines
B) put a current monitor on the lines that measures both direction and amplitude of the current on all of the lines.
That second part will tell you if you’ve got a USB killer or not. He first part will keep a USB killer from bypassing your USB condom.
John C.
I have a hard time imagining a legitimate use for this little bit of nastiness. Pen testing is not usually supposed to destroy the system it’s testing. Is it really “marketed to pen testers and law enforcement” or is that just a claim the seller uses to deny their culpability in the crimes committed with it?
Elliott W
Sounds like time for some enterprising EE to come out with a cheap USB tester. If really clever it could also prevent auto-booting software too…
jkwilborn
I have no clue why law enforcement would even want one around for any reason…
Jaque Blaque
Struggling to see what this has to do with penetration testing. This is a sabotage tool. The purpose of penetration testing is to evaluate security, identify weaknesses, and provide feedback to the stakeholder(s) so they can be addressed. So, as a pen tester, you couldn’t break into the customer’s production environment but you were able to fry all their machines via their USB ports? What exactly did that prove? Why not just set the building on fire? You can tell the police you’re not an arsonist, just doing important cybersecurity work. They’ll totally understand.