We have been aware of the threat of USB devices with auto-run malware for some time. More recently a worse device has surfaced, a USB Killer. This sounds like some fictional device you would see in a movie, but it is real.
This looks like any other USB drive, but the hardware is such that seconds after inserting it into a USB port, a disabling charge will be delivered. The USB Killer device charges up an internal capacitor from the 5V power supplied by the USB port. Once the charge reaches a high level (more than 200 volts) the capacitor is discharged back into the port. This process is repeated for as long as the device receives power. The power surge is fatal for most systems. The USB Killer device can then be unplugged and used again and again.
Not only have these devices been designed and tested, you can order one on-line from a Hong Kong company for less than $60. The product is advertised to “test USB ports for vulnerability”. Now at $60 each someone isn’t going to be buying and spreading the devices around, but it is cheap enough that someone up to no-good could purchase and then fry several several devices. How often do you see a laptop left unattended for a few minutes in a cafe?
The manufacturer claims “Our tests reveal that more than 95% of all devices using USB ports will be damaged permanently or completely destroyed by a USB power surge attack.” They do go on to say that “To date [August 16, 2016], the only hardware that resisted … tests was the latest model Macbooks which optically isolate the data lines on the USB ports.”
If the evil doer is more creative, they can build their own device. I found one YouTube video where a $3 USB device was purchased on-line then modified to deliver a killing charge. Explicit “how to” instructions were given on how to weaponize the device.
What makes this scary and dangerous is that a recent study conducted by the University of Illinois, Urbana-Champaign, the University of Michigan and Google indicated that ‘found’ USB drives are often plugged into a computer. In this particular test 297 devices were spread around the University of Illinois, Urbana-Champaign campus. The result was that they found “that users pick up and connect an estimated 45%–98% of the drives we dropped.”
Keep in mind that these USB Killer devices can affect any system with a USB port – computers, TVs, entertainment systems, autos, etc.
How do you protect yourself? If you find a USB drive do not plug it in!
See my other cyber security articles