Site icon Sophos News

USB pen-testing stick: what happens if it falls into malicious hands?

Back in September, many tech publications highlighted a killer stick: a USB stick marketed to pen testers and law enforcement that could be used to test the surge protection circuitry of electronics.

Test, or, as the case may be for devices lacking surge protection, zap to death.

The so-called USB Killer – which comes from a Hong Kong company – looks like a standard USB drive, but it’s actually filled with capacitors.

Once you plug it in, the USB Killer rapidly charges all those capacitors from the USB power supply. Then, once it’s full, it turns around and electro-vomits all that power back into the drive. It works in a fraction of a second, frying circuits in laptops, PC monitors, photo booths, kiosks, or even cars.

The charge/discharge cycle is repeated many times per second, until the USB Killer is removed, leaving about 95% of all devices partially or permanently damaged. According to Bleeping Computer, the only products that could withstand USB Killer 2.0 were recent MacBook models, since they optically isolate the data lines on USB ports.

Here’s one of many YouTube videos of the near-instant death throes of a sitting duck non-MacBook:

But wait, there’s more. It gets worse. Or better, depending on whether you’re a fryer or a fryee.

The company has released USB Killer Version 3 (PDF), and it’s deadlier than ever. The new kill stick has a higher voltage and amp output, and its pulse rate, which can ramp up to 12 times a second, is 3x higher than the previous version.

Plus, there’s this: Apple devices are now reportedly sitting ducks too. USBKiller.com is now shipping an adapter kit that allows users to zap devices via microUSB, USB-C, and (the proprietary Apple) Lightning ports on the iPhone 5/6/7. Beyond those iPhones, the adapter kit will also enable the murder of iPads, other phones, tablets, and digital cameras.

All of this mayhem, for so little cash: you can still pick up the latest version of USB Kill for €49.95, or about $54. The adapter kit goes for €14.99, or about $16.

If you’re not aware of these USB devices yet, now’s the time to learn. The story highlights how vulnerable our publicly available USB ports are.

But it’s also another reminder that we should never plug in mysterious USB drives we find kicking around… Or that pop up in our letterboxes, as was the case recently when cybercrooks in Australia tried to trick people into plugging them in and thereby downloading malware.

What makes the scenario even scarier is that USB Kill now comes in two flavors: its regular version, with the logo of a skull and crossbones, or an anonymous, discreet, unlabelled version.

All the better for pen testers who don’t want to call attention to their activities, according to the marketing – although it’s worth pointing out that the manufacturer makes it very clear that it “strongly condems malicious use of its products”.

Or to crooks who want to destroy our expensive gear without calling attention to the devices that do it.


Exit mobile version