Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Portables (Apple) Hardware Apple Technology

The 'USB Killer' Has Been Mass Produced -- Available Online For About $50 (arstechnica.com) 243

New submitter npslider writes: The "USB Killer," a USB stick that fries almost everything that it is plugged into, has been mass produced -- available online for about $50. Ars Technica first wrote about this diabolical device that looks like a fairly humdrum memory stick a year ago. From the report: "The USB Killer is shockingly simple in its operation. As soon as you plug it in, a DC-to-DC converter starts drawing power from the host system and storing electricity in its bank of capacitors (the square-shaped components). When the capacitors reach a potential of -220V, the device dumps all of that electricity into the USB data lines, most likely frying whatever is on the other end. If the host doesn't just roll over and die, the USB stick does the charge-discharge process again and again until it sizzles. Since the USB Killer has gone on sale, it has been used to fry laptops (including an old ThinkPad and a brand new MacBook Pro), an Xbox One, the new Google Pixel phone, and some cars (infotainment units, rather than whole cars... for now). Notably, some devices fare better than others, and there's a range of possible outcomes -- the USB Killer doesn't just nuke everything completely." You can watch a video of EverythingApplePro using the USB Killer to fry a variety of electronic devices. It looks like the only real defense from the USB Killer is physically capping your ports.
This discussion has been archived. No new comments can be posted.

The 'USB Killer' Has Been Mass Produced -- Available Online For About $50

Comments Filter:
  • by Anonymous Coward on Friday December 02, 2016 @08:27PM (#53412641)

    I tried it on my laptop, desktop, and phone. And it does not respond. Matter of fact...hm.

  • Shit (Score:3, Funny)

    by Anonymous Coward on Friday December 02, 2016 @08:34PM (#53412671)

    I'm gonna have to stop putting random USB sticks in all my devices. :(

  • I can just picture someone plugging one of these into one of those public charging kiosks at an airport. Wanna bet how well the ports are well isolated?
    • Comment removed based on user account deletion
    • by mspohr ( 589790 ) on Friday December 02, 2016 @09:49PM (#53412963)

      Public charging ports don't have data lines... just power. The device would charge but have no data lines for the discharge.

      • by msauve ( 701917 ) on Saturday December 03, 2016 @09:37AM (#53414675)
        "Public charging ports don't have data lines"

        Your claim (and that of other's, below) is simply wrong.

        Because, any USB charger expected to work with a wide range of devices does in fact have connections to the USB data pins. If they are unconnected, a USB device can draw no more "one unit load" (0.1 A) from the port. If the data lines are actively used, a device can negotiate to 500 mA. Using the USB charging spec, the data pins are shorted together or with a 200 ohm resistor (depends on the version of the spec), and a device it can draw up to 1.5 A. But that's still unlikely to cause problems with other ports.

        What is a concern is that there are lots of proprietary extensions beyond the USB spec. Apple and Qualcomm are two big players in that regard, using the data lines to signal the availability of current and/or voltages more that the USB spec itself allows. Modern "universal" charging ports actively use the USB data lines to identify the device type and then negotiate available power. These types of ports are becoming more common everyday.

        Even if ports are sufficiently isolated so that one of these "killers" couldn't effect other ports, it's possible that they could damage the port they're plugged into, potentially causing it to deliver voltage damaging to other devices. Even though ESD protection is likely provided (just as it is on a computer's USB port), that's meant to handle only low energy situations (high volt/low amps). These killers are designed to accumulate, then deliver a much greater charge than that.
    • by Enigma2175 ( 179646 ) on Friday December 02, 2016 @10:26PM (#53413115) Homepage Journal

      I can just picture someone plugging one of these into one of those public charging kiosks at an airport. Wanna bet how well the ports are well isolated?

      It would likely do nothing at all. It dumps the charge down the data lines, a charging port shouldn't have any data lines. Now, maybe the data lines ARE connected to something (so the TSA can search every phone that gets plugged in, "for your safety"), in that case maybe blowing the data lines would be a good thing overall.

      • Re: (Score:3, Interesting)

        by msauve ( 701917 )
        "a charging port shouldn't have any data lines"

        You're wrong. A useful USB charging port _must_ have connections to the data lines (see my post, above).
    • by gweihir ( 88907 )

      No problem at all. These do not have data-lines and 220V is not enough to jump any relevant distance. (Don't you love the general stupidity of the vandalist mind-set?) Carrying one of these into an airplane may get you a few years behind bars though, as they are close in design to a stun-gun.

  • Well... (Score:5, Insightful)

    by Waffle Iron ( 339739 ) on Friday December 02, 2016 @08:41PM (#53412709)

    This is why we can't have nice things.

    • Police searches (Score:5, Interesting)

      by Okian Warrior ( 537106 ) on Friday December 02, 2016 @09:15PM (#53412829) Homepage Journal

      One interesting use I can think of is to simply carry one around in case you get arrested by the police.

      Supposedly police require a warrant to search your personal papers such as your cell phone, so this shouldn't be much different. If they take the USB drive over to the cruiser and plug it in "just to see" then this will fry their system.

      You can even tell the officer not to plug the device in, that it's not a thumb drive, and that there's no information on it.

      It would probably work at airports as well.

      I really don't see a downside to this.

      • Re:Police searches (Score:4, Informative)

        by The Good Reverend ( 84440 ) <michael AT michris DOT com> on Friday December 02, 2016 @09:19PM (#53412835) Journal

        No downside? You're not considering "Getting your ass beat by the cops for destroying their stuff", as well as likely terrorism charges, 'cause that's what scaring police with an unknown device will get you.

        • by ghoul ( 157158 ) on Friday December 02, 2016 @09:23PM (#53412853)

          Well I could sue the police and retire on the settlement. Its like winning the lottery only with a beatdown thrown in

          • Well I could sue the police and retire on the settlement. Its like winning the lottery only with a beatdown thrown in

            Only if you have the entire beating on video. Good luck with that.

          • by Calydor ( 739835 )

            That's assuming they don't just shoot you to stop you from using your strange device to hack the Pentagonz!

      • by quenda ( 644621 )

        I really don't see a downside to this.

        When the cops can't use their electronic address book, they will have an excuse to get out the old-fashioned telephone books.

      • by Sycraft-fu ( 314770 ) on Friday December 02, 2016 @10:19PM (#53413087)

        I doubt they'd have a hard time stretching it to over something like this. If you have a device who's only purpose is to destroy something and it goes and destroys something, well you are pretty likely to get in trouble for it.

        Remember courts aren't operated by overly literal geeks who think if they can find some explanation, no matter how outlandish or unlikely, it'll be accepted. The law bases a lot around what is reasonable, and around intent. So your attempt at being cute won't work, and you'll be off to jail.

        It also may very well be illegal just to have, or be made illegal if not. There are devices that are outlawed purely because they have no legit use. Many states ban burglary tools, which can include things like the cracked ceramic piece of a spark plug (the aluminum oxide ceramic breaks tempered glass easily). If they catch you and can prove intent, then you are in trouble just for having them with the intent to use them illegally.

        Oh and don't think they have to read your mind or get a confession to prove intent. They usually just have to show that the circumstances surrounding the situation are enough to lead a reasonable person to believe that you were going to commit a crime.

        And a post like this, would count for sure.

        • by rastos1 ( 601318 )

          If you have a device who's only purpose is to destroy something and it goes and destroys something, well you are pretty likely to get in trouble for it.

          Destroying something is sometimes a legitimate thing to do.

          If have a hammer and I use it to smash a harddisk with confidential information because that hard disk is being replaced by a bigger and newer harddisk, then smashing the old harddisk is a legitimate purpose. If you decide to use the hammer as fuse, I warn you to not use it as fuse and you do that

        • Lighters exist. Their sole purpose is to set things on fire, aka 'destroy flamable stuff'.

          They are not illegal. You can carry one on your person.

          If a cop takes one from you and then lights his car on fire, that is HIS fault, not yours.

          The thing is, 'destroying' stuff is not illegal. It is only illegal to destroy something you do not own.

          I have lots of computers and I do not want other people to steal the data on them. I could purchase the USB killer for that legitimate purpose. If the cop stupidly use

      • I really don't see a downside to this.

        You've never dealt with the police, then. Tricking them into damaging their own equipment while wearing a shit-eating grin doesn't exactly endear you to them.

        "So what are they gonna do? Drag me out the back and beat me with sticks?"

        Do you really want to find out?

        • You're assuming they'll realize their equipment is damaged. If the gizmo just fries their USB port, they'll just not be able to read anything off the device and not know their equipment is broken for days or weeks.
      • by Eloking ( 877834 )

        One interesting use I can think of is to simply carry one around in case you get arrested by the police.

        Supposedly police require a warrant to search your personal papers such as your cell phone, so this shouldn't be much different. If they take the USB drive over to the cruiser and plug it in "just to see" then this will fry their system.

        You can even tell the officer not to plug the device in, that it's not a thumb drive, and that there's no information on it.

        It would probably work at airports as well.

        I really don't see a downside to this.

        Well, let's start with the fact that police equipment are paid with your taxe, which basically mean you're burning your own money.

        Beside, I don't get why so many people have so much hate again the police. Yeah there's a bunch of them that are asshole, but asshole exist in every profession. It's just that it's more of a problem if it's a police officer (or a politician) instead of the garbage boy.

  • by RCourtney ( 973307 ) on Friday December 02, 2016 @08:44PM (#53412721)
    Like the fact that you can find a USB port in planes, trains, bars, and various other places where you might need to charge up your phone?

    Yup, not any more.

    It really sucks that some people just like to watch the world burn.
    • hmm

      *plugs usb killer into airliner USB charging port*

      *dies*

    • Fortunately, it's not designed as a passthough USB device, and it appears to be activated with a button. So, it seems sort of unlikely that it would be abused like that en masse, at least not without significant modification, which raises the bar quite a bit for malicious sorts.

      I think a bigger danger is someone leaving the device lying around with a label printed "top secret" or "do not view", and letting natural human curiosity do the rest. That's still an expensive "prank" to play at $50 a pop, with no

    • by QuasiEvil ( 74356 ) on Friday December 02, 2016 @09:20PM (#53412841)

      Probably not much would happen. Many of them just put +5V on the power line and leave the data lines floating or tie them together. Sometimes they have various resistor networks to trigger higher charge rates. Depends on the size of the resistors, but my bet is even throwing 100-200V at them isn't going to do much given how little energy a few ceramic caps can hold. You'll exceed the power rating for a bit, and that will quickly drop off as the caps discharge.

      The bigger problem will be USB C chargers and things like Qualcomm Quickcharge, which actually use digital communication on the lines to trigger various non-5V voltages and higher currents. Because they use actual signaling, they're much more prone to damage.

      As the parent said, the sort of antisocial taintsuckers that would do this are why we can't live in a decent society.

      • by AmiMoJo ( 196126 )

        It is possible to design protection for this type of attack, so I imagine we will start to see "vandal proof" USB soon, like we have rugged switches and keypads and the like.

        Maybe I should Kickstart a USB-killer-killer that absorbs the energy and then nukes the USB killer with an even more powerful response. The side supplying power will always have the upper hand here.

    • Re: (Score:3, Informative)

      by mspohr ( 589790 )

      Charge ports don't have data lines.

      • Mostly they do, though they may just be connected to resistors to indicate that they can provide more than the default 0.1A defined by the USB standard (the standard allows for up to 0.5A, but *only* if your device has successfully negotiated for it with the host controller)

    • Should be trivial to construct a USB charging cable with inline fuses (or sacrificial caps/resistors/diodes), maybe adding $1 to the cost of the cable, and protecting your expensive devices from not just intentional sabotage, but also cheap, poorly engineered chargers, which might just kill you. [go.com]

      It was already bad hygiene to plug-in a USB cable that has the data lines intact into a public port, as all your data could be quietly siphoned off, and malware loaded on. If this new threat gets people to pay atte

    • by Sycraft-fu ( 314770 ) on Friday December 02, 2016 @10:11PM (#53413049)

      The problem with a device like this is it is hard to find a substantial legitimate use for it. Given that, they are likely to be targeted for a lawsuit and they are likely to lose that suit.

      While it is perfectly ok to sell a device that gets used to commit crimes, you generally have to have a legit reason to be selling it and it can't be something that is totally made up that nobody actually believes. So for example while a crowbar can certainly be used to break in to a house to or attack someone, they are also widely used used to get nails out of things and pry stuck objects apart. As an opposed example a number of companies that sell devices to help you cheat on urine tests have gotten in trouble since their devices had no use other than said cheating.

      It is very, very hard to think of a legit use for this and I can't imagine they'll get many legit sales. So it'll probably get them in legal trouble.

    • by mrsam ( 12205 )

      Get one of those "USB powerbank"s.

      They're dirt cheap. If you don't know what they are, they are one or two 16850 LI-ion cells, a mini-USB port, and a USB-A port. The mini-USB port is used to charge the cells in the powerbank, and then you can plug your gadgets into the USB-A port, to charge them later.

      Use the powerbank to suck the power from a public port first, then plug in your devices. The downside is that the whole process takes longer. The upside is that all you're risking is blowing up your powerbank.

    • Can't the same thing be accomplished with a pre-charged capacitor (a battery or something) with an usb port? Send the charge through the data line and blow stuff up. And I'm sure you can get it cheaper than 50 USD.

      So if this is to become a problem, it won't be from this gadget.

    • Fuses? Zener/avalanche diodes?
  • Pour it on laptop or desktop or server. Works 100% of the time.

    Someone should sue these tick turds. Right after they inhale watered PC smoke.

  • What would happen if you plugged one of these into a charger?
    • Nothing much different? I believe a charger is a tiny computer, is there a 4bit or 8bit CPU in there that negotiates current output to the device?

      • Not usually. Later USB specs followed the de-facto industry practice of allowing chargers to just put specific resistors across(?) the data pins to indicate available current. Makes for much less expensive chargers.

  • This device will self destruct in 5 seconds (or however many cycles it takes to get to -220V)

  • I'm all for things that go boom. I love weird, clever little gadgets. I admire a clever and subtle subversion of a system, even when I don't condone its use.

    But geez; this thing is not exactly elegant. It uses a fairly basic circuit to exploit the completely unsurprising fact that the interface isn't designed to handle high voltages.

    • by Registered Coward v2 ( 447531 ) on Saturday December 03, 2016 @11:05AM (#53415079)

      I'm all for things that go boom. I love weird, clever little gadgets. I admire a clever and subtle subversion of a system, even when I don't condone its use.

      But geez; this thing is not exactly elegant. It uses a fairly basic circuit to exploit the completely unsurprising fact that the interface isn't designed to handle high voltages.

      I'm with you on this one. All someone did was say "Gee, capacitors can hold large charge and dissipate it quickly so it will destroy a circuit whose design spec doesn't call for handling large voltages" and build a small device to do so. BFD. I can build a 120 or 210 power cord with a usb connector, plug it in a to the wall and a usb port; POW sparks fly as well. The "the interface and machines should have been deigned to prevent such an event" is ridiculous since no one expects someone to design a device to deliberate damage the port; and if you did try to do so why stop there? A screwdriver can also physically damage it so doe step spec require it to withstand such an attack? How about if I put my machine in a microwave? Or do we design it in such a way that it performs as intended and the expectation is it will be used in a reasonable manner?

      Some people will no doubt think it's funny to use one on unsuspecting victims and when caught say "It's just a joke" and / or "The machine should have been designed not to let that happen;" and be surprised when they are hauled into court. Oh well, you can fix a fried device but you can't fix stupid.

  • I have physical access to the device to begin with. I could just as easily get all stabby with an ice pick or blunt object.

  • The Taiwanese mobo brands have been layering ESD, overvoltage, and overcurrent protection, as well as fuses for individual ports, on their shit since the late 90s when tons of shit was getting fried due to crappy PSUs and crappy peripherals. The last time I saw it as a named feature emblazoned on the front of the box they were on version 4 of whatever they called it.

    If you're buying OEM crap (Dell, Lenovo, HP, Apple), or an Intel board, you're fucked. Decent mobos will at the worst lose just the one port

  • by eagl ( 86459 ) on Friday December 02, 2016 @11:39PM (#53413361) Journal

    This is just another way to vandalize stuff. I owned a far cheaper version of this 30 years ago. Its called a baseball bat. Before that, I had a tack-hammer. My ancestors had a version too, but they called it a "brick". Even earlier versions were called "rocks".

    If we're lucky, cities will start passing ordinances to make mere possession of these a crime, since there is no legal purpose for these.

    • by gweihir ( 88907 )

      Personally, I hope they will raid the vendor for the customer list after a while and then pay a visit to everyone that bought one.

  • An app that requires a uname and PW to enable a port, without a reboot. And protect against this nuisance [vice.com] too

    USB keyboards may be a catch22.

  • Witnessing small but steady improvements of technology over common sense. Ultimately there will be a single technological moment in which there will be no common sense at all.

    Seeing this on Slashdot is like picking up a carpentry trade magazine where one expects to see advice on practical projects, tools and plans, to find a feature article about stepping on rusty nails. Carpenters sometimes step on them and there are bits of humor and sympathy here and there but this article is different. There are lurid

  • Anyone else dying to find out what happens if you plug two of these into each other?

  • Unless you own the hardware or have explicit permission. Using this otherwise is the equivalent of taking a hammer to a computer without permission. As this device has no purpose except destruction, it may even be criminal to own in some places.

  • Please note that in order to use this device on your new MacBookPro that you'll require a special USB-3->USB-C adapter. Please make an appointment at your nearest Apple Genius Bar to test your device.
  • Yes, sure, an interesting thought experiment, I suppose. Maybe. If you're the sort of psychopath who likes to pull legs off of small insects and animals just to watch them die. And, if that's the case, well, you need to be removed from direct contact with society and should be seeking treatment, possibly including protection from yourself. There is no legitimate use that comes to mind for a USB-killer other than to intentionally destroy property (unlike, say, a firearm which has legitimate uses beyond t

  • Time for someone to make and sell a 'USB Killer Killer'

    Upon detecting that a USB killer has been inserted the USB Killer Killer quietly disconnects its protected USB link to the PC's USB port.
    It then flashes a rotating red LED, sounds a warning siren and declares thermonuclear war on the unsuspecting USB killer by way of its 1.21kV capacitor bank, which interestingly happens to be around the size of an overweight adult hedgehog.

    Unexpectedly the USB killers plastic casing instantly explodes and showers the u

  • It's a nice product to demonstrate, that you should trust no hardware. But its a Proof of Concept. There is no reasonable use to mass produce it. Even securty professionals won't kill one notebook per customer, but just play a video of the thing in action.
    Mass producing it just calls for stupid pranks costing a lot of money and killing a lot of data, which isn't backed up. And possibly getting people in jail, which think its just a prank.

  • We're already getting emails about these from our managers forwarded from other districts. They're scared.

  • It looks like the only real defense from the SledgeHammer (tm) is to physically protect your laptop.

    I think we should have some laws against ball-peen hammers and their ilk to protect our devices!

  • If you have physical access to a machine, you can do pretty much whatever you want to it.

    If someone is planning to leave theses around to destroy computers then they could do a lot more damage with an infected USB drive - to anyone idiotic enough to plug in an unknown usb device.

    If you want to maximize damage, an ounce of C4 in a drive will to a lot more damage. Thermite would be more spectacular.

    I don't get it. You spend $150 for a device that will make a computer fail in a boring way.

"Ask not what A Group of Employees can do for you. But ask what can All Employees do for A Group of Employees." -- Mike Dennison

Working...