Oh, The Humanity: You Can Now Instantly Kill A Computer For $50

I recently took an interest in home defense—y’know, just in case. Inspired by a friend who lives way out in the country and keeps a Louisville Slugger in an umbrella stand by his front door, I decided to go the baseball bat route. While shopping for one on Amazon, I came across a line of polypropylene bats—some of which were a good 5” shorter than a regulation bat—made by Cold Steel. The company-provided description is laughable: in their words, coaches were coming to them looking for an “indestructible” bat, so they made them one that’s great for playing ball and can “even be used for self-defense.” It became immediately apparent, despite the ad copy, that this was a bat made for breaking skulls and kneecaps. It’s much heavier than a normal bat and is probably useless for baseball, and Cold Steel’s other products include brass knuckles, knives, machetes, blowguns, and tomahawks. I’m assuming the baseball shtick is for liability purposes.

I had the same thought when I recently read about a new commercialized version of the USB Killer, a “device designed to [test] the surge protection of electronics to their limits—and beyond.” An anonymous hacker going by the name Dark Purple developed the device last year, but the appropriately named company USBKill.com launched the €50 commercial product this fall. Most tech pundits seriously doubt the USB Killer’s advertised use: just as Cold Steel bats are covertly intended to whack people, the USB Killer is actually a weaponized USB stick designed to fry the crap out of unprotected electronics.

Hardware-wise, the USB Killer is relatively simple. As soon as it’s inserted into an unprotected port, a DC-DC converter draws power from the host device and stores it in a capacitor bank. When the bank reaches a -220 V potential, the Killer blasts the stored power into the host’s USB data lines. Unless the host is protected against overvoltage, the USB Killer will disable anything from the port itself to the entire hardware system. As this video shows, devices handle the overvoltage differently, and many newer phones and computers are completely immune to it.

Obviously, this device will probably see malicious use more often than not. One could imagine a punk kid frying his entire school’s electronics inventory, or a disgruntled employee doing the same to an unsuspecting employer. I could be wrong, but the “use this device to test for overvoltage protection” angle seems like a load of BS to cover the manufacturer’s behind. And the damage isn’t limited to $2,000 laptops—the rise of the IoT and increased connection means that more and more devices, including the majority of cars on the road, have USB ports and could easily suffer major damage. Hackers could easily disable necessary infrastructure like life-support machines or air traffic control systems for about $50. Imagine if the Killer was plugged into a USB power adapter and connected to mains.

USB sticks have long been covertly used for malicious activities. Malware-infected thumb drives look benign but can spread worms like wildfire, whether intentionally or not. USB drives were supposedly the first delivery method for the high-profile, controversial Stuxnet worm until its progenitors developed more sophisticated methods. The only true defense against malicious USBs is to either cap ports or train users to never, ever accept or insert unknown hardware. But the potential damage from giving the USB Killer to an unwitting accomplice is still the stuff of nightmares.

Image credit: John / CC BY 2.0