Hong Kong-based company USB Killer believes that “any public facing USB port should be considered an attack vector.”
While ports are often disabled and unusable to the public, they are still vulnerable to an “electrical attack.” To prove the point, the company sells a device, the USB Killer 2.0, which, when plugged into a USB port, it “rapidly charges its capacitors from the USB power lines. When the device is charged, -200VDC is discharged over the data lines of the host device. This charge/discharge cycle is repeated many times per second, until the USB Killer is removed.”
Basically, the device is designed to fry hardware that is not designed to prevent such an attack. Either the company is trying to push the whole industry forward in a manner more secure from such potential attacks, or it is simply capitalizing on the willfulness of miscreants the world over.
The company also sells a pair device that allows the Killer to be tested. This device costs only $14, whereas the Killer itself costs just about $50. The company does not currently sell any hardware that could retroactively aid in the prevention of such attacks.
Since the dawn of the new millennium, the USB port has become ubiquitous in computing. Nearly any given public place will contain a number of publicly accessible ports. A vengeful store employee could easily disable a drug store’s self-service photo kiosk with such a device in seconds. While the attack has always been possible for do-it-yourself hardware hackers and those of a mind, it is now available to anyone with $50 and a shipping address. It is one way to attack a computer system or network without, potentially, being prosecuted under the notoriously harsh Computer Fraud and Abuse Act.
Business owners and kiosk designers, among others who offer any form of publicly accessible USB port, should be watchful for this type of attack in the future. The obvious solution when there is no actual need for the public USB ports is to disable them at the motherboard level. But in the case of things such as kiosks for photo printing, the USB port is a necessity. For such cases, a complete redesign may be in order if the devices are vulnerable. The USB specification offers a number of ways to prevent overflow of voltage in order to prevent it from actually damaging the hardware, according to one source.
As of this writing, the USB killer was out of stock, but new units were expected to arrive on the 14th of September and backorders were being accepted.