It sounds like something out of a B-grade Hollywood plot — a
flash drive that you plug into a computer and is capable of
destroying it within seconds. Last year, hacker Dark Purple
disclosed a USB flash drive designed to fry a modern system as soon
as you plug it in. The drive works by discharging -220V through the
USB port.
The exact details on how the drive functioned weren’t immediately
released. But there’s now a Hong Kong-based company selling a USB
Kill Drive 2.0 for just $50. Here’s how the company describes the
product:
The USB Kill 2.0 is a testing device created to test USB
ports against power surge attacks. The USB Kill 2.0 tests your
device’s resistance against this attack. The USB Kill collects
power from the USB power lines (5V, 1 – 3A) until it reaches ~
-240V, upon which it discharges the stored voltage into the USB
data lines.
This charge / discharge cycle is very rapid and happens
multiple times per second.
The process of rapid discharging will continue while the device
is plugged in, or the device can no longer discharge – that is,
the circuit in the host machine is broken.
The integrated nature of modern SoCs means that blasting the
USB controller with
-200V the way this drive does will typically cause severe damage, up
to and including destroying the SoC. While modern motherboards
include overcurrent protection, this typically protects against
positive voltage. (The difference between positive and negative
voltage is a reference to the voltage relative to the ground). If
the voltage source is connected to ground by a “-” terminal, the
voltage source is positive. If it connects via the “+” terminal, the
voltage source is negative.
The company
also plans to sell a USB Kill Tester Shield, which it claims will
prevent both the USB Kill device from functioning and protect user
data from certain kinds of snooping or intrusion if you hook up to
an unknown charging station or other device. This kind of intrusion
is known as “juice jacking,” though it’s not clear if this attack
vector has been widely used in the real world. There’s not much to
say about the Kill Tester Shield at the moment — all of the links on
the website to the actual product are non-functional as of this
writing. Caveat Emptor is good advice in a situation like
this.
It looks innocent. It isn’t.
The larger question, I think, is whether devices like this pose a
threat to the average consumer. Right now, I think they don’t. At
$5, it’s easy to imagine someone ordering these in bulk and
scattering them just to screw with people in general. At $50 each,
you probably aren’t going to stumble over a tiny block of death.
At the same time, however, studies have shown that up to 50% of
people will cheerfully
plug in a USB drive they found on the ground without taking
precautions for what kind of data or malware might be on the drive.
If the USB Kill 2.0 is actually shipping in volume, it’s probably a
good idea to revisit that tendency — or at least keep an old
computer around for testing.
Now read:
How USB charging works, or how to avoid blowing up your smartphone