USB Killer, yours for $50, lets you easily fry almost every device

Last year we wrote about the "USB Killer"—a DIY USB stick that fried almost everything (laptops, smartphones, consoles, cars) that it was plugged into. Now the USB Killer has been mass produced—you can buy it online for about £50/$50. Now everyone can destroy just about every computer that has a USB port. Hooray.

The commercialised USB Killer looks like a fairly humdrum memory stick. You can even purchase a "Test Shield" for £15/$15, which lets you try out the kill stick—watch the spark of electricity arc between the two wires!—without actually frying the target device, though I'm not sure why you would want to spend £65 to do that. The website proudly states that the USB Killer is CE approved, meaning it has passed a number of EU electrical safety directives.

Read 9 remaining paragraphs | Comments

Meet USBee, the malware that uses USB drives to covertly jump airgaps

Enlarge / Illustration of USBee, in which an ordinary, unmodified USB drive (A) transmits information to a nearby receiver (B) through electromagnetic waves emitted from the drive data bus. (credit: Guri et al.)

In 2013, a document leaked by former National Security Agency contractor Edward Snowden illustrated how a specially modified USB device allowed spies to surreptitiously siphon data out of targeted computers, even when they were physically severed from the Internet or other networks. Now, researchers have developed software that goes a step further by turning unmodified USB devices into covert transmitters that can funnel large amounts of information out of similarly "air-gapped" PCs.

The USBee—so named because it behaves like a bee that flies through the air taking bits from one place to another—is in many respects a significant improvement over the NSA-developed USB exfiltrator known as CottonMouth. That tool had to be outfitted with a hardware implant in advance and then required someone to smuggle it into the facility housing the locked-down computer being targeted. USBee, by contrast, turns USB devices already inside the targeted facility into a transmitter with no hardware modification required at all.

"We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle," researchers from Israel's Ben-Gurion University wrote in a research paper published Monday. "Unlike other methods, our method doesn't require any [radio frequency] transmitting hardware since it uses the USB's internal data bus."

Read 7 remaining paragraphs | Comments

Stealthy malware targeting air-gapped PCs leaves no trace of infection

(credit: John Lester)

Researchers have discovered highly stealthy malware that can infect computers not connected to the Internet and leaves no evidence on the computers it compromises.

USB Thief gets its name because it spreads on USB thumb and hard drives and steals huge volumes of data once it has taken hold. Unlike previously discovered USB-born malware, it uses a series of novel techniques to bind itself to its host drive to ensure it can't easily be copied and analyzed. It uses a multi-staged encryption scheme that derives its key from the device ID of the USB drive. A chain of loader files also contains a list of file names that are unique to every instance of the malware. Some of the file names are based on the precise file content and the time the file was created. As a result, the malware won't execute if the files are moved to a drive other than the one chosen by the original developers.

"In addition to the interesting concept of self-protecting multi-stage malware, the (relatively simple) data-stealing payload is very powerful, especially since it does not leave any evidence on the affected computer," Tomáš Gardoň, a malware analyst with antivirus provider Eset, wrote in a blog post published Wednesday. "After the USB is removed, nobody can find out that data was stolen. Also, it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload."

Read 8 remaining paragraphs | Comments

“USB Killer” flash drive can fry your computer’s innards in seconds

USB sticks have long been a mechanism for delivering malware to unsuspecting computer users. A booby-trapped flash drive, for instance, was the means by which the US and Israel reportedly infected Iran's Natanz uranium enrichment facility with the Stuxnet worm. And, in case anyone thought USB stick attacks had lost their novelty, last year's Bad USB proof-of-concept exploit delivered a highly programmable attack platform that can't be detected by today's defenses.

Now, a researcher who goes by the name Dark Purple has created a USB device that can permanently destroy much of a computer's innards, rendering the machine little more than an expensive doorstop. Within seconds of being plugged in, the USB stick delivers a negative 220-volt electric surge into the USB port. As the video below demonstrates, that's enough to permanently damage the IBM Thinkpad receiving the charge.

As viewers can see, the USB stick looks normal, and there are no outward signs it's malicious. But the USB Killer 2.0, as its creator calls it, takes computer attacks on a less-traveled road that leads to physical destruction. According to this post from The Daily Mail, an earlier and less powerful version of the device drew power from USB ports using a DC-to-DC converter until it reached negative 100 volts. At that point, the power was directed into the computer. The process ran on a loop until the circuitry failed. It's likely Version 2 works similarly.

Read 1 remaining paragraphs | Comments