reader comments 109
Share this story
The commercialised USB Killer, with the top off.
The commercialised USB Killer stick.
It even comes in a pretty case…
The Test Shield device
Last year we wrote about the “USB Killer”—a DIY USB stick that fried almost everything (laptops, smartphones, consoles, cars) that it was plugged into. Now the USB Killer has been mass produced—you can buy it online for about £50/$50. Now everyone can destroy just about every computer that has a USB port. Hooray.
The commercialised USB Killer looks like a fairly humdrum memory stick. You can even purchase a “Test Shield” for £15/$15, which lets you try out the kill stick—watch the spark of electricity arc between the two wires!—without actually frying the target device, though I’m not sure why you would want to spend £65 to do that.
The website proudly states that the USB Killer is CE approved, meaning it has passed a number of EU electrical safety directives.
The original USB Killer prototype.
USB Killer version 1.0, with hand-soldered bits.
Getting slightly more commercial…
The USB Killer is shockingly simple in its operation.
As soon as you plug it in, a DC-to-DC converter starts drawing power from the host system and storing electricity in its bank of capacitors (the square-shaped components). When the capacitors reach a potential of -220V, the device dumps all of that electricity into the USB data lines, most likely frying whatever is on the other end.
If the host doesn’t just roll over and die, the USB stick does the charge-discharge process again and again until it sizzles.
Since the USB Killer has gone on sale, it has been used to fry laptops (including an old ThinkPad and a brand new MacBook Pro), an Xbox One, the new Google Pixel phone, and some cars (infotainment units, rather than whole cars… for now). Notably, some devices fare better than others, and there’s a range of possible outcomes—the USB Killer doesn’t just nuke everything completely.
In the video below you can see that a Galaxy Note 7 loses its USB port (so it can’t be charged), but otherwise remains functional; likewise, a new iPad Pro freaks out while the stick is plugged in, but seems to regain consciousness afterwards.
Curiously, the Pixel is fine when a third-party USB-C converter is used, but using the official Google dongle results in a dead device.
One guy fries a ton of stuff with the USB Killer.
In another video it seems the iPhone 7 Plus suffers a similar fate to the Note 7: the Lightning port is fried, but the rest of the device is okay. You’ll also be glad to hear that the iPhone 4 and iPhone 3GS, connected via a 30-pin dongle, both seem to be immune to the USB Killer.
All told, the company behind USB Killer says that 95 percent of devices are susceptible to a USB power surge attack.
Without taking a fried device apart it’s impossible to say how extensive the damage actually is. When you see the screen go black, and then not return after a reboot attempt, it’s likely that the surge travelled to the CPU or some other core component.
If the victim device was a desktop PC, you might get away with replacing the motherboard—on a mobile or embedded device, diagnosing and fixing the issue is probably going to be more effort than it’s worth.
A better solution, of course, is protecting a system against the USB Killer in the first place, though that isn’t an easy task.
Electrically, the most simple solution is an opto-isolator: a chip that uses an LED paired with a photodiode to physically isolate one electrical circuit from another.
As devices move towards USB-C there’s another possible solution: USB authentication.
Neither of those solutions help protect the hundreds of millions—perhaps billions—of devices in the world with unprotected USB ports, though.
Cars, airplanes, routers, machines that control industrial centrifuges… in those cases, the only real defence is physically capping ports or educating people to never insert unknown hardware.
This post originated on Ars Technica UK