Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/11/2020
10:00 AM
VP Pai
VP Pai
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Rule of Thumb: USB Killers Pose Real Threat

They look just like a USB thumb drive, but instead of storing data, they can be used to destroy it and the device the data is saved on.

Authorities are closing in. The double spy needs to destroy the data and bail before authorities get into the room or he’ll be finished. As they get closer, he plugs a small gadget into the computer, which instantly starts zapping and smoking. The spy climbs out the window to his escape.

It's a movie scene most of us have seen in one form or another. Nowadays, almost anyone can destroy a computer with just a simple online purchase.

The weapon? A Universal Serial Bus (USB) Killer. It looks just like a USB thumb drive, but instead of storing data, it can be used to destroy it and the device the data is saved on. The USB Killer does this by sending high-voltage power surges into the device once it's connected.

Makers of USB Killers say they sell them so people or companies interested in testing their devices for protection against such attacks can do so. But that also means anyone with ill intent can just as easily acquire one.

For example, in April 2019 a former student of the College of Saint Rose in upstate New York, pled guilty to destroying 59 computers at the college campus using a USB Killer. This little device caused some $50,000 in destruction. According to other sources, he also destroyed seven computer monitors and computer-enhanced podiums.

In addition, according to June 2019 research from Dell and Forrester Research, nearly half of companies surveyed had experienced a hardware-level attack in the 12 months prior. Of these attacks, nearly half were internal incidents and the result of accidental or user error, an attack involving a business partner, an attack within the organization, or a malicious internal threat.

How a USB Killer Works
USB Killers are based on a prototype allegedly designed by a Russian researcher, Dark Purple, with the purported intention to destroy sensitive components on any computer. When a USB Killer device is plugged into a USB port, it collects power into its own capacitors from the USB power source of the devices. It does so until it reaches a high voltage. When it's done, it discharges the collected high voltage negative 220 volts onto the USB data pins. It's estimated the currently available USB Killers can generate a voltage of 215 to 220 volts. This damages or destroys the circuitry of the host device. 

This collection of high voltage in its capacitors happens rapidly. In addition, the charge/discharge cycle repeats many times per second so long as it remains connected and hasn't destroyed the device to the point it can't charge itself.

As a result of this process, practically any unprotected device is likely to succumb to the high voltage attack. USB sticks have long been used as a delivery mechanism for ill will, including to infect systems with viruses. This is likely because they are simple and cheap to design and acquire. They are also commonly used by unsuspecting people to store and transfer data.

Stopping a USB Killer
Supposedly, creators of the USB specification have addressed the vulnerabilities of a USB Killer with a new software-based cryptographic authentication protocol. This is for USB-C authentication and would help protect against such an attack by preventing unauthorized USB connections. However, there are already claims this protocol can be bypassed.

Device designers do have some options to include more hardware-based circuit protection. (Editor's note: The author's company is one of several providers of circuit protection components.) However, in many cases, designers unfortunately opt to save the extra pennies per device it would cost to do so. Still, extra circuit protection is highly beneficial in key markets — for example, in the medical device market, where a system's uptime can be life or death. In addition, some aircraft electronic systems have USB interface ports, and a person could easily damage the entire passenger infotainment system on a plane and any third-party device that is connected to the same USB line. Industrial or building systems equipment that is susceptible to disgruntled employee backlashes might also be a worthwhile target for extra circuit protection.

System designers can take some immediate steps to protecting their hardware by disabling unused USB ports or capping them so they’re more difficult to use. Some companies have also attempted to ban external media used on internal company systems. One reason: Employees often use USB memory sticks to take a file with them to work on at home. However, if not properly administered it can also lead employees to upload files to the cloud, which brings about additional security concerns.

From the cost of damage to physical systems to the risk of losing critical data, the threat posed by USB Killers is very real. Don't let your organization become the basis for the next blockbuster movie.

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

VP Pai is vice president of ProTek Devices. Prior, he worked at Intersil and Harris Semiconductor in various senior management roles. He has been in the semiconductor industry since 1978. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.