USB Kill Stick

It costs less than $60.

For just a few bucks, you can pick up a USB stick that destroys almost anything that it's plugged into. Laptops, PCs, televisions, photo booths -- you name it.

Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester's repertoire of tools and hacks, says the Hong Kong-based company that developed it. It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds.

On unprotected equipment, the device's makers say it will "instantly and permanently disable unprotected hardware".

You might be forgiven for thinking, "Well, why exactly?" The lesson here is simple enough. If a device has an exposed USB port -- such as a copy machine or even an airline entertainment system -- it can be used and abused, not just by a hacker or malicious actor, but also electrical attacks.

Slashdot thread.

Posted on September 12, 2016 at 2:07 PM • 63 Comments

Comments

Carlo GrazianiSeptember 12, 2016 2:18 PM

Heh, must be a slow day in security-land.

A more cost-effective option is a 16-oz mallet, which costs about $5.

AlexSeptember 12, 2016 2:20 PM

An ECG in hospital, any kind of IoT gadget...
Why do kids like to break windows in abandoned buildings? Because it's fun when you're 8-10-12-14.
Why would someone use it? Because it's fun, and that makes it quite dangerous...

DavidSeptember 12, 2016 2:24 PM

I wonder if this would work on a car. How insulated are the automotive computers from the USB port used by the sound system?

WaelSeptember 12, 2016 2:40 PM

Not too innovative. Easier to plug the USB port directly into to 220/120 V AC socket. I doubt this device works as advertised, though. Pretty dumb.

MichielSeptember 12, 2016 2:44 PM

Oh dear...

* Adds all USB equipment to "list of things airlines will no longer allow m to take on board" *

NatashaSeptember 12, 2016 2:58 PM

I've heard bullet holes aren't too good for laptops either... perhaps we should make them bulletproof?

RogerSeptember 12, 2016 3:03 PM

This has been around for a while. The big kill-joy is they certainly are not the original engineers of this contraption. Yawn.

hawkSeptember 12, 2016 3:20 PM

Oh.. NO!

Did you know that a log splitter will totally destroy a hard drive? Don't tell anyone.

Bong-Smoking Primitive Monkey-Brained SpookSeptember 12, 2016 3:22 PM

@Natasha,

I've heard bullet holes aren't too good for laptops either...

Bullet holes used to be good. There was a reason behind the expression: shoot the 'e' key. Hard drives, once upon a time, sat underneath the 'e' key on laptops.

A Mercury injection into an opening works just fine. It'll short out several components and... It'll coat the lungs of any service person with some Mercury fumes! There! You hit two birds with one stone. Oh, that reminds me...

Just pour some corrosive acid on the thing. Or a solution of vinegar, salt, water, lemon juice and some steel wool powder. Ahh, the possibilities! You can also put them in a small soft USB container, too. Just stick it in the USB port and run like hell. When someone tries to take it out, it squirts the concoction into the device. You're free, they're guilty!

JimmySeptember 12, 2016 3:57 PM

@Michiel

Forget airlines... we need general warrants out for these things, so any cop dick and harry can legally stop and strip search anyone on suspicion of carrying a usb key!

TatütataSeptember 12, 2016 4:11 PM

Someone could have been flipping a switch behind the camera...

Scary, but seriously, what's the big feat here?

The solutions are known: transformer coupling (the signal is NRZ, if I'm not mistaken), MOVs, fuses, spark gaps, sacrificial circuitry, clamping diodes & crowbars, etc...

The question is: how much protection can you afford?

If someone added a chapter to the USB specification mandating decent surge protection, then the devices would become larger, and Apple will declare USB obsolete with their iPhone 8...

A vandal could sabotage public fondleslab charging stations, but no more than a few devices would be destroyed before someone noticed.

Dirk PraetSeptember 12, 2016 4:17 PM

@ Bong-Smoking Primitive Monkey-Brained Spook, @Natasha

I've heard bullet holes aren't too good for laptops either...

True, but back in the days we used to have a guy who for an experiment shot a hard drive, then took it to his lab and still managed to get a huge amount of data off it. The presentation he did on it earned him the title of Distinguished Engineer practically overnight. Short: if you really want it destroyed, take it apart completely and then shred all the components.

Anonymous CowSeptember 12, 2016 4:23 PM

I don't understand why readers of this blog are so dismissive about the danger posed by the USB Kill (or other implementations of the concept). It's true that there are other ways to destroy a computer, but your average office worker is not going to destroy company property for no reason. You can expect, however, that many will plug a USB device of unknown origin into their work computers. Destructive USB devices given away as "freebies" can cause a lot damage.

TimSeptember 12, 2016 6:07 PM

I wonder if it would be more useful to have a phone that sent a high voltage into any device that plugged into it. Border agents decide to scan your phone, but then - oh dear - their computer is malfunctioning...

k15September 12, 2016 6:19 PM

At least mention how to protect the device? Or if the only protection is keeping it away from such people?
Does the mythical government citizen cybersecurity agency know about these exploits and have workarounds for them all?

CallMeLateForSupperSeptember 12, 2016 6:27 PM

@Clive Robinson
"Hmm must be a slow news day..."

So it's not just me. That's reassuring.

4-5 times since the end of last week I read a teaser and thought, isn't this old news?... did I dream it?

I remember only one of those stories: a 3-part(!) regurgitation by the The Guardian of the Congressional Intel. Committee investigation of CIA torture. As near as I can tell, the trigger for said 3-part piece was simply that the author of the so-called torture report decided to talk about this thing on-the-record.

By the way, the killer device I saw (~$150?) - unpackaged SMT stick - looks *very* vulnerable to physical damage.

k15September 12, 2016 6:28 PM

In a free market, with vulnerabilities like this, the company that outcompetes the others will be the one not subjected to these attacks.
This might mean, the one that pays protection money.
Which strengthens interests that we really don't want to strengthen.
Bruce? Please tell me I have my head up my?

CallMeLateForSupperSeptember 12, 2016 6:57 PM

@Anonymous Cow
"I don't understand why readers of this blog are so dismissive about the danger posed by the USB Kill"

I think most (all?) of the "mea" expressed here is aimed at the concept. First of all, it's not unheard of, i.e. not new; second, physically destroying things with over-voltage is ... um... kinda lame (in this adult's view anyway).

One could alternatively, and almost as easily, turn a given e-toy into toast by mashing a mains cord into one of its [name-your-interface] ports, but that is not sexy or cool either, just mindlessly destructive.

That said, I would be *very* interested in reading the results of a good study of the effectiveness of over-voltaging each of many representative devices of a range of device types. Not that such a study will ever be conducted.

Nick PSeptember 12, 2016 7:27 PM

@ Dirk Praet

On opposite end, I heard something similar from a Marine I told about my triple, HD crash. He was deployed somewhere where they carried M-16's in and out of their quarters. He had all his data on an external HD next to his laptop. Another Marine, whose gun had a round chambered, came in and casually dropped his M16 on the table. It went off. I'm sure you can guess where the barrel was facing when it did. He wasn't clear whether he tried (or could afford) a recovery company but said he lost all that data.

I'm not sure whose luck was worse between us. Both were highly-unlikely events. His does make for better WTF effect on average person who could easily picture the event with ensuing rage. Haha.

Note: On other end, there was the soldier whose life was saved because his Toughbook was over his chest when the AK-47 round hit it. Stopped the bullet. People involved with Toshiba clarified this should not be taken to mean it's a replacement for body armor. It's not guaranteed to happen twice. Lol.

Scott LewisSeptember 12, 2016 9:14 PM

The guy who mentions nefarious trades tradeshow or vendor free sticks nails why everybody else missed the point with the yawn reaction. Also a disgruntled employee can slap one in someone's desktop casually and walk away. A gun to a hard drive or a sledgehammer... a little less subtle.

Warnin' ZevonSeptember 12, 2016 10:07 PM

@Scared

Airhead 1 and 2 (Richard Burr (R-NC) and Dianne Feinstein (D-CA)) want to reintroduce their anti-encryption bill.

Yeah, well I want to make a Robert Palmer tribute video with him fronting the mic and her and five other broads in drag queen makeup and tight black dresses backing him up with guitars. It can go something like this....

How can it be permissible
They've compromised all principles, yeah yeah
That kind of crazy's mythical
They're anything but typical
They're a powerful force the lizard people endorse
They're obliged to pitch it twice, 'cause there's no other course
Well, they used to look sane to me, but now I find them
Simply reprehensible, Simply reprehensible

(She's so slimy, there's no tellin' where her ethics went)
(He's such a moron, he knows no other way to go)

They're simply egotistical
Their crazy is transmissible
It's simply unavoidable
The trend is irreversible
Well, they make their own laws, and leave the public in awe
They suck up the applause, I surrender because
They used to look sane to me, but now I find them
Simply reprehensible, Simply reprehensible

(They're unavoidable, I'm backed against the wall
They make me nauseous like I never felt before
They laugh at promises, they're breaking every law
They used to look sane to me, but now I find them
Simply reprehensible, Simply reprehensible)

Trust me, that would go viral.

(As for the USB kill sticks, that sounds like Darwin's gonna take care of anybody dumb enough to plug in a USB stick they don't know and trust the provenance of.)

Kurt SeifriedSeptember 12, 2016 10:40 PM

This is true of anything that plugs in, simply zap the power plug with a taser or similar. Or put some conductive glue into the USB port. And so on. Granted this USB killer thing is easy to leave in the parking lot and trick someone into killing their own stuff. The lesson learned: never plug anything into your computer/etc.

Agent SmithSeptember 12, 2016 10:50 PM

@Scared

That's not just anti-encryption... it's anti-papershredder/garbagedump/toilet/etc

Geoffrey KiddSeptember 12, 2016 10:55 PM

So: safemaker vs. safebreaker

We need two things, then. 1. A USB-port extension cable that can direct overvoltages to ground. It may require a cord of its own to an electrical socket to do this. This is to protect existing ports on people's PCs.

2. Engineer future USB hardware to do for itself what item 1 above does.

Clive RobinsonSeptember 13, 2016 12:26 AM

@ K15,

In a free market, with vulnerabilities like this, the company that outcompetes the others will be the one not subjected to these attacks.

I think you might have that backward.

The "knowing" use of such a device on anothers property is an act of "criminal damage". Arguably the people who designed, built and "put on the market" such a device are running a criminal enterprise as these are not "multi-use" devices like ordinary tools such as knives or hammers. Further they are not specialised tools like insulation or Hi-Pot testers because they are neither calibrated or instrumentated. Worse they are in effect disguised to look like something they are not and are thus much like any other "booby trap" device. Thus I suspect any person of lawful authority would have little difficulty persuading a court that an individual carrying such a device was "going equiped to commit a crime".

Thus whilst they might not be specifically legislated against, they would be illegal devices in many jurisdictions. Which brings about the questions of product liability, fitness for purpose etc about the merchantability of any system that this illegal device might be plugged into. Does the system manufacturer have to design it so that it is proof against "criminal acts", the answer is probably no.

Which brings us around to a "free market" without regulation. In theory such a market responds to a customers wants only. So if a customer does not want a system proof to this illegal device then it will not sell, thus it will not be made. For a customer to want a system proof to such an illegal device, they would not only have to know of the devices existance but also that the risk it presents can not be mittigated in less costly ways.

If the illegal device is hardly ever used in the general market, then insurance is likely to be the most cost effective mittigation. However if the use of the illegal device rises the cost increase in insurance will eventually reach a tipping point, where the increased costs of manufacturing systems proof to this illegal device will be less than that of the insurance. Thus in a "perfect" "free market" systems proof to this illegal device would finally appear. The reality however is that the usuall "free market" "race to the bottom" in manufacturing systems will prevent such a product arising in a timely fashion if ever.

Further the Fast Moving Consumer Electronics (FMCR) market suffers from an interesting "lead time" issue. A "known want" design to market time is around 18months, it's longer when designing for a "new want". Thus there can be a considerable time period in which although there is a new want there is no product to satisfy it available. Thus alternative mitigations such as making the use of the illegal device very difficult or ineffective will arise much more quickly, and importantly will be usable on existing systems. Thus even though being a more costly solution it will be the more likely solution. You can see this already with the "surge protector" and power conditioning "UPS" markets...

Peter A.September 13, 2016 5:01 AM

I think everybody have seen numerous photoshopped (or not?) pictures of cables having some low voltage application plug (such as Ethernet, USB etc.) on one end and an AC mains plug on the other end, advertised as 'foo killer'. So this is no big news in a (not so) facetious device for destroying electronic equipment with over-voltage. Indeed, such activity was a hallmark of nerd kids play since early days of electronics, including myself. Do you remember the immense fun of 'popping' an electrolytic capacitor? or just any capacitor, transistor, or a small integrated circuit? Or even whole to-be-thrown-away devices or parts thereof?

The news here is that it's a compact and surreptitious device without external or internal power source. Of course, it would be much easier to find a nearby mains socket, plug a power cord cut off some appliance - with bare wires sticking out - and mash the energized wires into any opening in a device's chassis. Alternatively, one could use a re-purposed camera flash circuitry to 'zap' anything, probably with better effectiveness than this little gadget can achieve. But this would be far less easy and inconspicuous that an innocent-looking USB stick.

Molten IceSeptember 13, 2016 6:18 AM

Those are what I think about while waiting at the checkout with all those empty USB slot pointed at me.

ChrisSeptember 13, 2016 6:59 AM

"You can expect, however, that many will plug a USB device of unknown origin into their work computers. Destructive USB devices given away as "freebies" can cause a lot damage."

Even just cheap devices, our official "use this" USB thumb drive worked fine on one computer (Or port?), worked on a Mac but complained "drawing too much current" and reset another computer.

BorisSeptember 13, 2016 7:03 AM

What about a version that functions as normal USB storage if the stick receives a pre-arrange password from the host in, say, the first 15 seconds after being inserted?

If the password is not received in that time or a sequential read of blocks is detected (indicating an image is being made) then the device self-destructs using the circuitry described above. Unfortunately this might take out the host to which it is attached too. Oh well.

RogerSeptember 13, 2016 7:14 AM

@Scott Lewis:

... Also a disgruntled employee can slap one in someone's desktop casually and walk away.

A disgruntled employee can slip with his sports drink [1] on someone's desktop in front of a dozen people, say "Oh, my bad, I'm so sorry", and totally get away with it.

A disgruntled employee who slaps one of these in someone's desktop had better be doing it when there are no witnesses about, because otherwise there is going to be a really straightforward prosecution for criminal damage. Involving exhibits like "camouflaged criminal sabotage device purchased over the internet."

Of course if he is doing it when there are no witnesses about, the opportunities for criminal damage are limited only by his imagination. Many of them offer significantly more inconvenience and dollar value than just killing a PC.

Nope. This device is not even especially useful for well-directed malice. Its only real application is mindless vandalism. Goodbye, public library access. Goodbye, free charging kiosks.

___

1. All the tackiness of sugar plus the electrical conductivity and corrosiveness of electrolytes. Much worse than coffee!

EvanSeptember 13, 2016 8:19 AM

You don't even need to buy a custom-built USB stick; out of a selection of cheaply made Chinese knockoff articles, at least one will probably be wired badly and short the host devices electrical system out.

No, of course I'm still not bitter about a $5 phone charger cable causing $500 in repairs to a laptop, why would you think that?

BOB!!September 13, 2016 9:42 AM

The part from the story that I find most ridiculous is "now fits in any security tester's repertoire of tools and hacks". How exactly does it fit in a security tester's repertoire?

Are there companies that hire security testers who say "Oh, please fry some electronics if you find an easy way to do so"? Are there security testers whose contracts say "We will cause property damage to show you your vulnerabilities, rather than telling you about them"?

For a security tester, you want something that highlights the vulnerability in a clear way, and causes no damage (or at least as little as possible consistent with finding the vulnerability). If I'm testing whether people will plug in random USB sticks, plugging it in should either report the information to me (probably using the 5V to power a transmitter, rather than trying to rely on a network connection that might not be there), or announces its presence to everyone nearby (how loud a siren can you power via USB?).

Jim NamespeakeSeptember 13, 2016 10:47 AM

@ Clive Robinson,

"Thus alternative mitigations such as making the use of the illegal device very difficult or ineffective will arise much more quickly, and importantly will be usable on existing systems."

This is about as profitable as tick-tock paradigm goes, which is selling both the problem and the solution, or as the Chinese would say 'killing a bird with two stones.'

"I think you might have that backward."

tock-tick and tick-tock are only slightly different, but stretched out on a longer time line I'm not quite sure if I can tell the difference. :)

albertSeptember 13, 2016 11:37 AM

@BOB!,
Check out a smoke alarm! USB 2.0 will give you 500mA (3.0 gives 900mA) Imagine a smoke alarm going off on your desk. It'll deafen you, and as a bonus, probably clear the building:)

@Clive,
I was kinda hoping you might expound upon the theory of operation of such a device. I imagine it would apply the HV pulse to the USB 5V supply pins. It needs to generate a high enough voltage and also protect itself. I expect the USB standard also specifies some minimal surge protection...


AoSeptember 13, 2016 12:48 PM

So I hate my ex-boss. Real pointy-haired boss. Took credit for all my work. Just sits around surfing the net all day. I've been fired. Yada Yada.

Now if I drop one of these things near his parking spot, labeled as "Porn", and wipe my fingerprints off it beforehand. I mean, I'm out, I'm gone, I'm nowhere to be found. How many computers do you think he'll destroy? He's really not very bright...

On another tack, what happens if I have 5 usb sticks with me, and the police want to search them all, and I tell them one of those sticks is a kill stick, but I don't remember which one.

WaelSeptember 13, 2016 1:26 PM

I use a USB port. Now I may consider this: http://www.sealevel.com/store/iso-1-seaiso-single-port-inline-usb-isolator-ul-recognized.html?gclid=COXLu8f6jM8CFdU8gQodcnUC9Q not sure it'll provide the needed protection. If I had the time, I would try this 'kill USB device' but I am still skeptical it works. One would need a huge capacitor to do the kind of damage they claim. I'm thinking a half Farad or more. Something like this one: http://www.sonicelectronix.com/item_13573_Rockford-Fosgate-1-Farad-Capacitor-RFC1.html?utm_source=google&utm_medium=cpc&utm_campaign=PLA&scid=scplp3599082&sc_intid=13573&gclid=CNzOms37jM8CFUEbgQode1gCnQ

BystanderSeptember 13, 2016 1:42 PM

The device is an interesting approach, but there is not much information on the actual energy of the HV pulse applied to damage/destroy the computer.

Computers used in industrial environments are usually better protected. The cost is not _that_ high and the protection can be quite good. Example for USB 2.0 (there are many more brands and the TVS devices are getting better and better):
http://www.semtech.com/apps/product.php?pn=RClamp0554S

I could not find and information on the actual energy that this device applies.
In the case of the signal lines, this is probably the easier part to cause damage.
Concerning the supply voltage the potential for damage is largely reduced when the designer did his job correctly.

This is news for cheap laptops/computers that are hardly protected, but probably less frightening for well-designed USB-ports.

Did anyone actually find information on the enery of the HV-pulses applied by this device?

BOB!!September 13, 2016 2:11 PM

@albert - I got my start in life as a Navy electronics tech - "how loud a siren?" was a rhetorical question, mostly to point out that if someone wants to be entrepreneurial and make something that security testers can *really* use, they could make something useful and probably make some money by making a USB transmitter or siren.

Jesse ThompsonSeptember 13, 2016 3:17 PM

@Everyone

The reason we are yawning is because the scope of harm that can come from this device is quite pitifully limited. It's on par with developing a communicable bioweapon that kills it's ground zero host so fast that it never gets a chance to hop to any other target, even post-mortem.

So you want to plug this into a target to fry it? You're limited to whatever you physically had access to, and you might as well have poured a vial of who-cares-what-kind-of-goo into the port instead. No more nor less difficult to get away with on-camera.

So you want to trick mooks to adopt your stick to fry something? They'll plug it into a mookstation (on which either any data you care about is either regularly backed up, or else the mookstation is just a thin client) and cry "oh bother, now we have to spend another $500-$2,000 to replace the broken mookstation".

So why would you do that when you could use a USB that actually appears functional (so no immediate suspicion) but contains a pathogen that can reach beyond the mookstation into the deeper network?

albertSeptember 13, 2016 4:12 PM

@BOB!!,
Noted. I still like the idea of a laptop that screams like a banshee when it detects bad actors :)

@Wael,
I think the voltage is more critical. An HV spike will destroy some capacitors and definitely blow some ICs. It should propagate through the 5V circuits until it's smoothed and reduced in amplitude. If it shorts a capacitor (or anything that goes to ground), that may stop it sooner that necessary. I don't know how far it would propagate through the USB chips. The simplest fix is surge suppressors at the USB jack. Thorough testing would be laborious and expensive, so that probably wasn't done. It's a bit like testing an EMP device.

. .. . .. --- ....

Clive RobinsonSeptember 13, 2016 4:39 PM

@ All,

The question of how much damage such a device can do is a complex one.

First of all it's not a simple question of output voltage or even energy, because that is very very dependent on what damage happens in what order.

The first thing you might want to consider is that the energy it uses to do damage has to come from the USB hub in the first place... Secondly it's output pulse is not likely to come from an avalanche device switching onto a transmission line storage element thus the rise time will not be in the picosecond speed range, nor nanosecond for that matter either. The most likely design would be a capacitor/diode ladder voltage multiplier charging some surface mount capacitor to between 100 and 600 volts and a suitable switching transistor (BJT/FET) with an effective series resistance of 0.1-1.5 ohms.

Thus it is unlikely that it attacks the USB power pin. Modern powersupplies tend to be very low impeadence and "four quadrant" capable. It might however blow the surface mount filter inductor like a fuse, but that would only stop that particular USB port working.

To do "interesting" damage it would be better if it attacked the USB signaling pins with a ramp pulse designed to get into the actuall IC and trigger metastability issues in a way that does not get clamped by the intrinsic diodes in the IC I/O pads.

The thing is that it's only likely to effect the silicon that the USB Hub logic is in, thus the damage would be limited.

Whilst you often hear about "static damage" it rarely happens to devices that are "in circuit" as the relatively low impedence of the circuit will tend to clamp things to safe limits.

I'm not saying that such a device (you can see the circuit of one on Hackaday IIRC) will not do damage, but I suspect in many computers it will be limited, and the actual computer owner might not notice for a while.

Clive RobinsonSeptember 13, 2016 5:02 PM

@ Jim Namespeak,

This is about as profitable as tick-tock paradigm goes

Yup... On re-reading the article I noticed what I had not with my original skim read, the USB Killer manufacturer also sells a protection device kind of says it all realy...

WaelSeptember 13, 2016 5:05 PM

@albert,

Like @Clive Robinson said: it's a difficult question to answer without more technical details and testing.

My InfoSeptember 13, 2016 7:58 PM

The cops just busted my door in for some reason and I was trying to save my work on this USB drive, but my computer crashed. I'll have to call the Geek Squad. ...

M. WelinderSeptember 14, 2016 7:55 AM

My guess as how it works: a voltage doubler. Just charge a pile of
capacitors and place them in series. Something along the lines of

https://en.wikipedia.org/wiki/Voltage_doubler#Switched_capacitor_circuits

That explains the voltage, but it's unclear to me how the device can store
any significant amount of energy when the capacitors have to fit inside
a thumb drive.

In tomorrow's lesson we'll cover how to mix iron filings with starch and a
corrosive electrolyte.

Sancho_PSeptember 14, 2016 10:23 AM

I guess you can’t predict what will be damaged, even when trying on identical machines. Problems may arise days after.

Once we had to destroy a drawer full of uP boards (prototypes) before recycling. A guy from our lab came up with a barbecue piezo lighter. One side connected to GND the sparks flew all over the chips, even through (!) the plastic package. About half of the boards survived, we had to go the (stinky) 230VAC route.

@Wael:
If you want both, protect your USB port and test the Kill Stick, see this simple device (and it's price for 50+), I use one with my USB Scope:
https://www.olimex.com/Products/USB-Modules/USB-ISO/

BystanderSeptember 14, 2016 1:41 PM

@Clive Robinson

Thank you for the additional information.

So this is weakening and destroying the protection device(s) by repeated stress and thus overcoming the limited effect of the individual HV pulses.

Nothing that could not be prevented by a better designed protection (hence the combined offer with the protection device).
Either go for a larger protection device that can stand the higher load or design in a predefined weakness that cuts off the signal lines in a reliable way. Better losing an USB port than the computer...

WaelSeptember 14, 2016 2:19 PM

@Bystander, @Clive Robinson, @Sancho_P,

Better losing an USB port than the computer...

I would have liked to see a more descriptive characterization of the damage inflicted on the computer. Saying "I ordered another motherboard" is so amateurish. What part was blown? This is pure bool sheet. Now where did I put my meter? Uh! There it is: http://prnt.sc/47ej3q

I'm not spending much time on this "attack". It's a localized attack that can't spread or scale very well. Anyone who sticks a foreign USB disk in a device deserves what happens. Sometimes one needs to be bitten (a few times) before a lesson is learnt. Which is worse, killing a computer or exfiltrating sensitive information? It depends...

BystanderSeptember 14, 2016 3:12 PM

@Wael

A better description of the pulse would be enough information for me.
For me this would be pulse shape, peak voltage, source impedance and repetition rate.
This would help to evaluate the impact on actual protection devices (if present) and the designed victim (SoC-type processor like for laptops).
The only thing I saw was the peak voltage...

I would not call BS, but this device aims the general weakness of computers designed for low production cost and just the standards compliance that is required for these models. Mind that equipment designed for home and office has comparably low EMC immunity levels. Industrial, telecom and military equipment has higher immunity levels and is less prone to such attacks. It also depends on the designer. I have seen equipment that barely passed for telecom and office equipment.

WaelSeptember 14, 2016 3:24 PM

@Bystander,

I looked over some USB specifications, and in particular USB -C and VBUS discharge protection reccomendations. But what would you expect from a $400.00 computer?

As for the

For me this would be pulse shape, peak voltage, source impedance and repetition rate.

That's of coarse helpful, but only covers half the story. We also need to look at various implementations and their susceptibility to those sort of "attacks". It could be as simple as a bypass capacitor or a back-to-back zener breakdown diodes, keeping in mind the effects on USB protocol.

BystanderSeptember 14, 2016 4:12 PM

@Wael

Having reviewed (among other things) USB interfaces for EMC emission and immunity (including the tests and the results) for industrial and telecom applications for ~15y as a small part of my work I would not need more information.

I have seen typical and less typical implementations, but for these kind of environments you end up with 2-3 typical protection/filtering circuits depending on the IC used.
The protection of the IC I/Os is usually specified using the Human Body Model and this is just useful for the handling in production. There are ICs with internal protection, but I have limited trust in these when you have to deal with higher energies.

If you want absolutely a high protection, you could go the three-stage protection circuit (GDT/VDR/TVS) way, but then USB 2.0 is probably the highest speed you could expect, as the protection circuit does negatively impact the signal integrity.

WaelSeptember 14, 2016 4:42 PM

@Bystander,

Okay, you're not the typical user then. Makes sense. There is one caveat, though. If you design your system to protect against a specific waveform, frequency, rate of discharge,... then you maybe vulnerable to the next revision of the killer device. If you are protected against a square wave, the next version may change to a sawtooth or a series of "impulses" (impulse train) or delta functions. Wouldn't it be better to design protection for a general malformed signal injection? This is the difference between wearing an attacker's hat or adhering to security principles -- a subject that often comes up. By the way, you could also "possibly" extrapolate some information based on the description and the pictures and videos they showed.

protection circuit does negatively impact the signal integrity.

True, there's no free lunch. Securing the system comes with a cost. It's either Security-V-Usability or Security-V-Efficiency (or something else.) They were both discussed a while back here.

Clive RobinsonSeptember 15, 2016 1:03 AM

@ Bystander,

The most critical asspect is the "rise time" the faster this is the less chance any protection circuitry has to act.

Even the likes of transorbs and back to back avalanche diodes will not switch as fast as you can blow out the gate / intrinsic diodes etc on the IO pad of a modern SoC.

Thus the question of speed arises in terms of inductance and capacitance prior to the SoC package pin. The problem is that they "store energy" not "disipate energy" thus it has to go somewhere.

Whilst I do know ways of protecting such inputs they are component rich thus of higher cost than the FMCE products market will support (as I indicated earlier). Thus the solution is a "non-starter" in a "free market". We have seen this in action in the past when it comes to "meeting regulatory requirments". Rather than minimise unwanted energy to meet EMC masks, some suppliers used spare silicon area to make a DSSS system of the master clock frequency. Thereby spreading the energy across a much wider bandwidth rather than actually disipating it in filter components. Thus they met the EMC masks without the use of comparatively expensive filter components...

BystanderSeptember 16, 2016 2:32 AM

@Clive Robinson

I doubt that you get faster rise times on a $60 USB stick than e.g. an ESD simulator.
Just to recall: We are dealing with 0.7-1ns @8kV (10%-90%)

I am aware that for these short pulses the thermal capacity of the junction is the limiting factor and that these devices are generally designed to withstand the standard tests with predefined repetition rates. The latter helps a lot to determine the required thermal conductivity of the case.

Let's look at the example I added earlier. In the datasheet you see the resulting waveform when applying an ESD pulse of 8kV directly to the signal line. The resulting short spikes of less than 40V are easy to deal with when the IC has a working internal protection.
This also means that the reaction time of this TVS device is well in the sub-ns range.

Let's presume the USB stick can generate pulses with rising edges in the 10 picoseconds range which would be needed to overcome TVS devices. Note: you can buy such pulse generators, but you would not like to pay these. The usual field of application for such pulses are TDR measurements on PCBs and for high-speed connectors (usually more for evaluation, because you would prefer a VNA for the real work).
The pulse would start to travel down the short trace to the USB 2.0 connector.
What happens next?
The pulse will be pretty much distorted while travelling along the path provided by the connector because the bandwidth of the connector is not large enough to transmit the higher frequency parts of this pulse (paging Fourier here).
The rising edge of the pulse after the connector will lack the higher frequency elements and is softer - more in the range of the ESD pulse mentioned above.
The protection kicks in...

On longer traces to the intended victim, the losses of FR4 and dispersion will have their way with the higher frequency elements of the pulse.

Maybe try the USB 3.0 path - the bandwidth of the connector is way higher...

The USB stick will work for cheap unprotected (consumerland) devices and probably for a large number of better protected devices unless the failure mode of the TVS diodes being attacked by the longer pulse is conducting with a sufficient low resistance to short the pulses reliably over a longer time. Then this goes the way of attrition.

The DSSS you mentioned is usually a more simple SSC with a triangle wave modulation. Yes, the use is widespread in consumerland, but not needed when the design is properly done and this does not necessarily mean additional filters. People who want to use high-resolution timers for their application avoid systems with SSC.

You can protect interfaces against a lot of attacks, if you want to protect the system behind these interfaces, the failure mode must be designed to cut off the signal and power lines leading outside.
T1 line protection is a nice example for this approach - MOVs against lightning and fuses in the signal path.

TRXSeptember 21, 2016 7:30 AM

So, it's a cordless USB version of the Bastard Operator From Hell's Ethernet-to-220v patch cord from, what was it, 1994?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.