Net anarchist?
Nope. He's just a criminal vandal.
An internet mischief maker has built a USB stick that delivers dangerous 220-volt shocks to PCs, destroying them in the process. The USB Killer is the second iteration of a laptop-wrecking device crafted by a Linux and infosec techie nicknamed Dark Purple. The first version of the PC-zapping hardware emerged in March, and …
It's slightly clever, using the host power to supply the damaging power, but really I have a cheaper solution involving an unused USB connector and a power pigtail. Also, I could run over the laptop using my car. Is that clever? Me thinks not.
Clever would be that he could do this from a remote location. Keep trying, Igor!
That will be the next step. Some form of gated switch that when triggered remotely will turn a useful usb stick into the destructive force it is now.
Imagine how it would go .. ID ten T user finds usb "storage" dongle in the parking lot, or middle of the grocery store isle.
ID10T picks up device, takes home or to work, plugs in, "hey.. its a USB storage device I picked up for free, awesome!"
Meanwhile, its attempting to install malware, some sort of call home remote via tor.
Later, after infection has made it inward, it destroys itself along with the PC that started the infection.
Next, you hear about company X (sony) going old school, pen and paper whilst they work to clean up.
A Dongle is just a Dongle, until it isn't.
Hide in plain site, at the first risk of detection, destroys itself and its initial attack vector / springboard into a network, just in case you (the hacker) left something that could trace to you. Of course you'd want to scrub drives first or encrypt parts etc, so that any data leaving is encrypted and the only location for the key is the USB that will destroy everything it can when activated.
Not necessarily. Inconspicuous reliable self-destruct for machines is something that is of interest for a lot of people. Anything from industrial secrets, to various hat colors, 3 letter agencies, you name it.
The fact that you and me do not need it, does not mean that this is not useful.
By the way - the choice of voltage is interesting. High minus is the only thing that really can blow up a motherboard via peripherals. High plus is nowhere near that effective.
I'd be very reluctant to consider this in a security context without rigorously testing its thoroughness on several samples of the target equipment: I imagine a lot of persistent data would survive in most cases.
Perhaps it if the caps were charged to 22000V... but even then...
Difficult to imagine a situation where you wouldn't have better luck with a hatchet.
It would be interesting if you were a criminal. Leave one in the house, labelled as Accounts or similar. Cops raid your place, find the stick, plug it in and: ZAP!
All joking aside, this would mainly be useful for mischief. It's unlikely to do much more than kill a PC, and I could see a miscreant leaving a load lying around. I'm pretty sure there are some people who would pick it up and plug it in to see what was on it, and I'm sure more than one would try a second machine after it fried the first ("I wonder why my laptop isn't working, let'd try it in my desktop").
The article mentions that it fries the motherboard and nothing about any effects on storage. My guess is that this might be useful offensively (in as much as destroying someone's machine is useful) but it is unlikely to prevent data from being extracted from a machine's drive except perhaps those attached to the same USB bus as the device.
Inconspicuous reliable self-destruct for machines is something that is of interest for a lot of people.
As it's got pretty nearly fuck-all chance of killing the data on disk (and it's the data that you want to destroy, not the machine) this is useless for that purpose.
He's just as clever and driven by the same motivation as the people who used to switch PSUs to 110v so they'd go <BANG> when switched on, scaring the living jesus out of the user.
Twat.
With respect, there is no guarantee that this device will do anything other than deliver 220V which may or may not kill the machine but cannot be guaranteed to destroy the data..
I suggest you go and read the steps Guardian journalists were made to take when the UK security services had them destroy the laptops containing the Snowden documents to find out just how thorough you need to be to guarantee data destruction.
"the steps Guardian journalists were made to take when the UK security services had them destroy the laptops containing the Snowden documents to find out just how thorough you need to be to guarantee data destruction."
That exercise wasn't about data destruction (e.g. there was already another copy of the data somewhere else, so the whole exercise was pointless from a confidentiality point of view).
That was a PR exercise about showing who's in charge here.
Won't work.
There is a re-settable polymer fuse in the USB, and several capacitors plus a voltage divider for voltage sensing, and that will mean s short to ground.
You will kind of fry the computer, but no data will be lost.
So I think this is just a nuissance, with no practical use.
The "lost" usb with the trojan, that one is a good one..
Anarchism is a political philosophy that advocates stateless societies, often defined as self-governed voluntary institutions. So I guess a Net anarchist would be someone who advocates an Internet which is not controlled by any political hierarchy, so probably running some sort of loose assortment of zero configuration protocols everywhere.
How does this have anything to do with vandalizing computers?
Charles,
Have you had ALL of your meds today?
In my shed I have:
- an oscilloscope (lovely old Tek...)
- cans of petrol
- gas canisters (butane etc)
- LOTS of powertools
- white spirit/meths/cellulose thinners
Just think of the havoc I could create with that lot eh?
Pls engage your brain in future before commentarding...
Kind regards,
Jay
Just think of the havoc I could create with that lot eh?
True, but presumably you don't put your white spirit/meths/cellulose thinners into coke bottles and leave then in school playgrounds to see what happens? That would be the equivalent to distributing these USB sticks.
True, but presumably you don't put your white spirit/meths/cellulose thinners into coke bottles and leave then in school playgrounds to see what happens?
Maybe he should be doing that, but that would be littering.
So is leaving only USB sticks around, only something that could get lost in the laundry is more innocuous than bottles.
"...presumably you don't put your white spirit/meths/cellulose thinners into coke bottles and leave then in school playgrounds to see what happens? That would be the equivalent to distributing these USB sticks."
What a great idea!
Why don't we go the whole hog and create child maiming landmines disguised as toys?
But wait! It's already been done. Also Russian I believe...
> He's just a criminal vandal.
Why? He's just building the things, which is quite an interesting exercise, I find. Are weapons manufacturers criminal vandals too, in your opinion?
I am in fact considering buying one of those, to teach my computer a lesson now and then. >:-}
This post has been deleted by its author
Why would anyone pick a USB stick and put it in their PC/laptop/whatever? It many ways, that's like picking up a floppy disc (remember them?) and putting it in the PC to "see what's on it". Ok.. maybe I'm paranoid, but I've seen viruses get passed around this way in the distant (a: b: drive era) past.
This post has been deleted by its author
>You can't catch malware simply by examining the contents of the drive, unless you've set your PC up in an incredibly foolish way...
Bollocks
>and of course you're going to scan the drive first thing.
Why?
Not sure what's more depressing: Your post, or the (3 up, 0 down) votes it's received.
Google "bad USB" (include the quotes) & grow up.
>"Not sure what's more depressing: Your post, or the (3 up, 0 down) votes it's received."
Both pale into insignificance next to the downvotes you're getting, without explanation, for pointing out the obvious. Perhaps their Google's broken at the ostrich farm?
https://srlabs.de/badusb/
This post has been deleted by its author
This post has been deleted by its author
"Boot sector viruses infect systems when you, you know, boot from the infected device. Examining the contents of a drive is one thing, booting from it is quite another."
Strange, I thought that MBR viruses could spread just by listing the contents of the disk on MS-DOS (I assumed DOS did something weird like executing the MBR when you mount the disk), maybe my memory is incorrect. I certainly remember getting an MBR virus or two when I was young and foolish and not being quite sure how I caught them!
Heck, a USB charger can infect a phone or a USB mouse infect a laptop.
EVEN if EVERY aspect of evil should never have been invented autorun is disabled, a USB storage device can have a stealth HID mode too. You can't easily disable HID USB on Windows.
Plug and Pray. The very spec of USB is a fail on so many levels!
1) Should have had no auto-install. At least a confirmation prompt.
2) Should have had same connector both ends and a peer to peer mode
3) should have been isolated (ethernet can be and MIDI is)
4) should have used reversible connector.
The original idea was actually for mice, keyboards, joysticks etc only to replace PC DIN connectors and Apple serial bus for slow peripherals, hence the stupid asymmetrical nature, and the original really slow speed and low power. I think perhaps Apple was mainly responsible? Perhaps they were only an early adopter of someone else's stupidity.
Note original Win95 did have stupid autorun, but no USB support at launch.
Network uPNP is another stupid idea. Who thought it was a good idea that network gadgets could automatically load drivers into your Windows computer. Or that network shares could use the stupid autorun "invented" for CDs?
that's like picking up a floppy disc (remember them?) and putting it in the PC to "see what's on it". Ok.. maybe I'm paranoid, but I've seen viruses get passed around this way in the distant (a: b: drive era) past.
I remember the old floppy bombs... Lost a drive when a "friend" gave me a floppy and told me it had, erm, content I would have been interested on it. I wasn't happy, and nor was my dad (whose computer it was). Luckily, my "friend" offered to pay for a new one.
This seems like an updated version of that.
Also good to put the competition out of gear just before a sales meeting.
Plenty of use for this because (as many have identified) there are quite a few people that will have a look at what's on the stick, and that's really all you need (also for infections).
The ones we use (one brand and type) are a lot harder to rig like that. For starters, they're too small. So the hard work is to stop people using unknown USB sticks - maybe a couple of old laptops of eBay and such a USB stick may demonstrate this more thoroughly than "ooh, look, there is a virus".
So the hard work is to stop people using unknown USB sticks - maybe a couple of old laptops of eBay and such a USB stick may demonstrate this more thoroughly than "ooh, look, there is a virus".
Couple with a small/copious amount of thermite (or other substance depending on your range from the device and the impression you really want to make) for a bit of special FX...
Many people wouldn't realise that a device like this is unlikely to cause anything to actually go bang or burn out.. But a nice little (according to taste) fireball or shower of sparks from the machine would convince anyone (bar for a real tech) that the working machine really was "blown up" by the USB, and they won't want to be near that.
I've accidentally destroyed a few bits of electronics in my time. With only 2 exceptions the actual event was pretty uneventful, usually not even any sound to go with it (except maybe a disk spinning down or something like that). Adding pyrotechnics to a demonstration really aids in making the point. BOFH-style "secure network cards" come to mind... And have been a great inspiration for some teaching aids in the past... ;)
Brings back memories of a legacy pre-USB device with similar consequence.
Made by chopping all the red stuff off the top of matches.. then dismantling a 3.5in floppy.. nail varnishing all the red gear onto the disk itself, then reconstructing.
Heard rumours that this trashed a drive once inserted, but never built one to test as my only machine at the time was an Amiga :-D
We made a device using some copper cables, an FL Inverter from a notebook and a 9 volt battery. It was handy for making sure suspect faulty parts were dead, prior to sending them back when the warranty replacements came in.
It did nothing to humans BTW, although that didn't stop us from chasing the newbie's around with it laughing maniacally.
At the time I worked at the National Broadcast Center in the Netherlands we had a BNC-killer. From time to time it would resurface and anybody who saw it said Hum, that looks dangerous and nothing happened.
to stash in your laptop bag for the crims to find when they steal it. They'll try the stick on your machine, killing it (and making your data safe), then they'll try it on their machines.
Obviously, put warning labels on it, then when they plug it in and fry their machine, they have no legal recourse since they ignored the warnings.
This will only harm those who don't know any better. Mainly kids I expect, who have seen mum and dad plug in USB sticks, so are quite excited to find one. As a kid I used to pick up all sorts of things - from tie pins to (my best ever find) an almost new pocket knife.
I just hope that somehow this comes back to bite him really hard.
Our very professional and quasi-govt organisation had a security assessment done recently, and no less than 5 of the 6 USBs that were left randomly around and outside the premises were plugged into networked computers. Yes, professional adults earning (in the main) high-5 to 6 figures.
I remember reading that comment, he's obviously an agile and proactive supplier of digital death.
--
To save me adding another comment I wonder how much protection a USB hub would afford?
I assume it would depend on the design but who checks their layout against -220V?
A mod of this needs to go on Kickstarter, stat. It should read "USB inverter with 220V output! Plug in your power brick and power your laptop from its own USB port for free indefinitely!" If things go the usual way, the campaign would be at least halfway through before anything happens...
This could make people paranoid. After all, someone could have switched out one of these for one that looked the same and which you thought was a good one.
A solution would be to sell USB checkers into which you first plug your sticks to see if they're safe to plug into your computer.
Naw, what's needed is an overvolt shutoff in between the plugable and the computer. You could probably source everything you need from Sparkfun if you live in a land o' no Maplins.
I'd like to congratulate the inventor of this idiotic device (which in all likelihood was lifted from an old flashgun) for adding yet another "worthwhile" item to the list of computer-age spinoffs.
keep one in your glove compartment. if you ever get pulled over and the cop decided to make an unwarranted search of your car they will likely grab it to check "for illegal content". If they ask whats on it you tell them "Do not attempt to view the contents of that device. It would be bad.".
Even if you tell them >exactly< what it is they will think you are lieing to hide something and plug it in anyway. Just make sure you have a recorder of some kind going when you tell them so you can defend yourself form the certain "terrorist" charges that would follow.
I think this is rather neat, actually, if for nothing else but to cause a bit of mischief to prying eyes of various border security or aforementioned TLA agencies. Get stopped at the airport and ordered to hand over all electronic devices so they can be "examined" for dodgy things? Sure, here you go... Fzzzzt goes some expensive hardware.
Might possibly earn you a jolly good rubber-gloving by angry officials, however.
I wouldn't bring this anywhere near a plane. Planes now often have 5V USB charger connectors for the cattle'scustomer's entertainment devices. I dare not to think of what happens, if you plug this device in during the flight. Hopefully nothing, but let's not try it out, OK?
They might (IMO rightly) arrest you just for carrying one along at checkin.
"I wouldn't bring this anywhere near a plane. Planes now often have 5V USB charger connectors"
And this is the real threat that this piece of work exposes, namely USB ports, are everywhere. However todate, there has been a level of trust in their deployment, this changes things, particularly for those who provide 'public' access usb ports such as found in cars, trains and planes.
Get stopped at the airport and ordered to hand over all electronic devices so they can be "examined" for dodgy things? Sure, here you go... Fzzzzt goes some expensive hardware.
"Would you care to boot up your laptop and show us what is on this USB stick, Sir?"
They are not *all* brain dead..
This post has been deleted by its author
No problem. On your own laptop you have a daemon running that toggles the USB ports in a particular pattern that the ZapStik responds to by not zapping. Needs some extra USB-foo on the stick, but anyone who can build this can build the extra USB-foo. Or, even simpler, a switch somewhere that toggles power to the ports. No power, no zap. Of course, you (and they) then won't see the USB stick appear in the device manager, but there's a simple explanation for that: "It's not a storage device". Which it isn't.
They're free to verify the non-storage-devicesishness on another machine.
On your own laptop you have a daemon running that toggles the USB ports in a particular pattern that the ZapStik responds to by not zapping. Needs some extra USB-foo on the stick, but anyone who can build this can build the extra USB-foo
Cue a rather expensive round of debugging..
I am saying NOTHING about a certain Russian aircraft.
OK, I am saying something. But I can't pretend it's even a joke because it's not funny. It will never be funny. Like it isn't funny now to say something about the WTC and leaving the landing lights on.
I mean plugging in devices didn't work even in the early staged demos.
https://www.youtube.com/watch?v=ajmn-_jkpdc
The protocols running over USB are far to complex and ill defined, the hardware makes bit errors very common, which make your bus reset.
I stopped using USB sticks years ago in favour of micro-SD (with adaptors.) Good luck getting 220V out of one of them.
You absolutely had to say that, didn't you? Now you've put a challenge out there, and it's guaranteed that someone will manage at some point, it's inevitable now.
:)
It's an upgrade to an old toy. If that worked why do we need an upgrade?
But it's not even scary! Really tight usb plug so you can't extract it easily then simply generate noise - say an alarm tone - initially barely audible to cause the "what's that?" looking around then a rapidly ramping sound getting louder and louder and scarier and scarier it wouldn't half make the idiot who plugged it in panic ...
The video is very interesting, not for what it shows but for what it doesn't.
I have an IBM T60 (the machine used) that I've maintained myself and so have stripped it down a few times, hence seeing which USB port he used, I'm interested to see just how much and how many of the internal circuit boards were actually damaged by this...
So it would of been nice to see some disassembly to indicate just what had been fried, I suspect (on this system) less than being claimed...
> I have an IBM T60 (the machine used)
Actually, it looked more like a T20-series. It's a Pentium3 machine from 13-15 years ago (at least as far as I can tell. The T30 was available in 2002, so gives you an idea of the age, and the T30 already had a touchpad, which the one in the video does not).
But why waste your time developing something like this? Usually inventors see an unfulfilled need and fill it. Is there a need for this? Looking at the photo of the device, clearly some dev time went into it. Yes, this is stealthy. I could also buy a cheap, Chinese-made stun gun that puts out 100KV and use it on any port of a PC or other equipment. Or I could plug up the drain in a public restroom and turn on the water, amusingly causing a lot of damage if it was not discovered soon. But I'm not an antisocial 14 year-old kid.
Next the developer can move on to bigger and better things, like working in some skunk works weapons lab finding better ways for us to kill each other and make the world a little bit worse on a grander scale.
Frankly the thing is totally stupid as the probability it may not even do any serious damage. My grandaughter will do far more! She could wipe your memeory dead easily. The capacitor also would not be able to sustain any serious current, so the likely hood will be that the 5 volt rail would be zapped going to the device so shutting the computer down until the offending item was removed and the computer restarted. Its called an overload shut down. To get micro amps at 230Volt (220 went years ago) one needs quite a bit of juice possibly not available from many computer supply's. Lets see, at 5 volt you have through the resistive circuitry maybe 0.01amp. so to get any meaningful current to do damage you need to effectively get a through put of some 500 times a reduction to real micro amps that will in effect be zapped by even the smallest resistors and being of the DC variety of electricity it will not pass through the capacitors just taking them out so possibly only and I note possibly destroying 1 USB socket.
I know plenty of people who would plug a USB stick into a computer to see what was on it and take a look to see if they could work out who owned it so they could return it.
There was a time I would have done that myself.
But as to using one of these, a lot of people see it as a prank, but if you wanted to be malicious, you could simply post one to your intended victim. It seems that most precautions normal people might take, like scanning it for viruses etc., disabling auto-run etc. would not help, and leave them with fried components.