Authorities are closing in. The double spy needs to destroy the data and bail before authorities get into the room or he’ll be finished. As they get closer, he plugs a small gadget into the computer, which instantly starts zapping and smoking. The spy climbs out the window to his escape.
It's a movie scene most of us have seen in one form or another. Nowadays, almost anyone can destroy a computer with just a simple online purchase.
The weapon? A Universal Serial Bus (USB) Killer. It looks just like a USB thumb drive, but instead of storing data, it can be used to destroy it and the device the data is saved on. The USB Killer does this by sending high-voltage power surges into the device once it's connected.
Makers of USB Killers say they sell them so people or companies interested in testing their devices for protection against such attacks can do so. But that also means anyone with ill intent can just as easily acquire one.
For example, in April 2019 a former student of the College of Saint Rose in upstate New York, pled guilty to destroying 59 computers at the college campus using a USB Killer. This little device caused some $50,000 in destruction. According to other sources, he also destroyed seven computer monitors and computer-enhanced podiums.
In addition, according to June 2019 research from Dell and Forrester Research, nearly half of companies surveyed had experienced a hardware-level attack in the 12 months prior. Of these attacks, nearly half were internal incidents and the result of accidental or user error, an attack involving a business partner, an attack within the organization, or a malicious internal threat.
How a USB Killer Works
USB Killers are based on a prototype allegedly designed by a Russian researcher, Dark Purple, with the purported intention to destroy sensitive components on any computer. When a USB Killer device is plugged into a USB port, it collects power into its own capacitors from the USB power source of the devices. It does so until it reaches a high voltage. When it's done, it discharges the collected high voltage negative 220 volts onto the USB data pins. It's estimated the currently available USB Killers can generate a voltage of 215 to 220 volts. This damages or destroys the circuitry of the host device.
This collection of high voltage in its capacitors happens rapidly. In addition, the charge/discharge cycle repeats many times per second so long as it remains connected and hasn't destroyed the device to the point it can't charge itself.
As a result of this process, practically any unprotected device is likely to succumb to the high voltage attack. USB sticks have long been used as a delivery mechanism for ill will, including to infect systems with viruses. This is likely because they are simple and cheap to design and acquire. They are also commonly used by unsuspecting people to store and transfer data.
Stopping a USB Killer
Supposedly, creators of the USB specification have addressed the vulnerabilities of a USB Killer with a new software-based cryptographic authentication protocol. This is for USB-C authentication and would help protect against such an attack by preventing unauthorized USB connections. However, there are already claims this protocol can be bypassed.
Device designers do have some options to include more hardware-based circuit protection. (Editor's note: The author's company is one of several providers of circuit protection components.) However, in many cases, designers unfortunately opt to save the extra pennies per device it would cost to do so. Still, extra circuit protection is highly beneficial in key markets — for example, in the medical device market, where a system's uptime can be life or death. In addition, some aircraft electronic systems have USB interface ports, and a person could easily damage the entire passenger infotainment system on a plane and any third-party device that is connected to the same USB line. Industrial or building systems equipment that is susceptible to disgruntled employee backlashes might also be a worthwhile target for extra circuit protection.
System designers can take some immediate steps to protecting their hardware by disabling unused USB ports or capping them so they’re more difficult to use. Some companies have also attempted to ban external media used on internal company systems. One reason: Employees often use USB memory sticks to take a file with them to work on at home. However, if not properly administered it can also lead employees to upload files to the cloud, which brings about additional security concerns.
From the cost of damage to physical systems to the risk of losing critical data, the threat posed by USB Killers is very real. Don't let your organization become the basis for the next blockbuster movie.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."