(Security Affairs – Kill USB 2.0, Physical security)
The Hong Kong-based technology manufacturer USBKill.com has created a USB dongle that is able to fry any computer into which it’s plugged by using an electrical discharge. The attack is simple, the USBKill use to charge capacitors from the USB power supply, and then discharges 200 volts DC over the host device.
The designer of the USBKill presented a prototype last year, the USB device was able to destroy a laptop in a few seconds. Now they have presented the USB kill 2.0, a final release that is commercialized by USBKILL.com team.
“Our tests reveal that more than 95% of all devices using USB ports will be damaged permanently or completely destroyed by a USB power surge attack”. explained the researchers behind the project that explained they created the USB kill 2.0 for testing purposes. The unique device that passed the tests is the latest version of Apple’s MacBook, which uses surge-protected USB ports.
The company warns it has been “designed and tested to be safe,”, it “is a high-voltage device — it is not a toy — and is only intended for responsible adults.”
Hardware developers could use the USB device to evaluate the resilience of their machine against such kind of “devastating power surge attacks” and to prevent data theft via “juice jacking.”
“Any public facing USB port should be considered an attack vector. In data security, these ports are often locked down to prevent exfiltration of data, or infiltration of malware, but are very often unprotected against electrical attack!” reads the press release.
“When the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges — all in the matter of seconds,” the company said in a news release.
The Juice jacking is a cyber attack where wherein malware might be installed on to, or data surreptitiously copied from, a mobile device or other computer device using a charging port that doubles as a data connection.
Below a video PoC of the KillUSB 2.0.
The USB Kill 2.0 could cause serious damage to the host, despite it isn’t designed to wipe data depending on the hardware configuration it could have this effect by destroying drive controllers.
“When tested on computers, the device is not designed or intended to erase data. However, depending on the hardware configuration (SSD vs platter HDD), the drive controllers may be damaged to the point that data retrieval is impractical,” the company said in its marketing material.
USB Kill also said the device was created for use by hardware designers of public machines, such as photo booths, copy machines, airline entertainment systems and ticket terminals — anything with exposed USB ports that need to “ensure that their systems resist electrical attacks.”
“Finally, the general public, or anyone who wants to test or kill their own devices should equip themselves,” the company stated. “Penetration testers and security auditors should include the USB kill 2.0 to their arsenal of testing tools.”
The technology manufacturer USBKill.com also offer for sale a USB Protection Shield specifically designed to allow the testing of the USB Killer without damaging the host machine.
The USB Kill 2.0 stick costs around $56, meanwhile the Test Shield will go for about $15.70.
The USBKill.com “strongly condemns malicious use of its products.”