About a year ago, one Russian hacker showed how a tool that looks like a small USB drive could disable any electronic device with a USB port. This “USB Killer” worked by sending a high-voltage charge through a USB port, effectively frying the internal components.
Now, a Hong Kong company going by the name of USBKill.com has created a similar device called the USB Killer 2.0, and it is making it commercially available to anyone. The company is also releasing another product called the USB Killer Test Shield, which can be used to test devices to see if they are vulnerable to the first device.
The reason for releasing the product, company officials say, is to shine a light on the shortcomings of hardware manufacturers. They say that although the danger of these devices has been known for some time, little has been done to increase product safety.
“To this day, according to our testing, the only company that releases hardware protected against a USB power-surge attack is Apple, on their Laptop and Desktop ranges. This means – despite adequate warning, and time to respond – the majority of consumer-level hardware manufacturers choose not to protect their customer’s devices. We are disheartened by this lack of respect for customers,” said the company in a blog post.
USB Killer 2.0
The USB Killer 2.0 works in a similar way to the original model. After being plugged in, it quickly gains a charge through the USB power source and then discharges it back through the host device’s data lines. The process can take as little as one second and persists until it is removed from the machine.
The process effectively fries the inner components of any machine with a USB port, rendering it useless. The company is selling the USB Killer 2.0 for $49.95 and the Test Shield for $13.95; however, consumers can get free shipping and a 50% discount if they buy the products together.
“As is standard in the InfoSec industry, we are releasing the USB Killer 2.0 publicly, after one year of disclosure. We hope the attention will force manufacturers to respect a customer’s investment in their product, and work to resolve the issue,” the company said.
Protecting against attack
Current protections against this type of attack are lacking, but tech companies are trying to create new ways to counter the threat. For example, experts are currently working on USB Type-C Authentication, which would stop unauthorized devices like a USB drive from connecting to a host device. However, some experts say that it may not be the best solution.
“Nothing would stop a would-be attacker from duplicating a signature – and I would imagine that it would depend on the implementation. If the host device allows any type of communication via the data lines, this could be vulnerable to a power surge,” said Steve Benson of USBKill.com.
Instead, Benson says that a cheap component that is used on Apple devices, which are already safe from such attacks, provides the best means of protection.
“The ultimate solution, and that which vendors in the enterprise field (and Apple, in the commercial field) – have implemented – is the humble optocoupler: a plentifully available, cheap component – made exactly for this purpose.”
What to do
While these new additions may aid consumers in the future, many will probably be wondering how they can protect themselves now. Luckily, by following a few basic steps, anyone can ensure that their device is kept safe from these types of attacks.
First, consumers should never trust any piece of unknown hardware. Unless you’re certain about what a device does and it comes from a trusted source, you shouldn’t use it with any of your own belongings.
For those worried about others plugging malicious devices into their electronics, using a USB condom or capping the USB ports can ensure that they are protected from outside influences.