It sounds like something out of a B-grade Hollywood plot — a flash drive that you plug into a computer and is capable of destroying it within seconds. Last year, hacker Dark Purple disclosed a USB flash drive designed to fry a modern system as soon as you plug it in. The drive works by discharging -220V through the USB port.
The exact details on how the drive functioned weren’t immediately released. But there’s now a Hong Kong-based company selling a USB Kill Drive 2.0 for just $50. Here’s how the company describes the product:
The USB Kill 2.0 is a testing device created to test USB ports against power surge attacks. The USB Kill 2.0 tests your device’s resistance against this attack. The USB Kill collects power from the USB power lines (5V, 1 – 3A) until it reaches ~ -240V, upon which it discharges the stored voltage into the USB data lines.
This charge / discharge cycle is very rapid and happens multiple times per second.
The process of rapid discharging will continue while the device is plugged in, or the device can no longer discharge – that is, the circuit in the host machine is broken.
The integrated nature of modern SoCs means that blasting the USB controller with -200V the way this drive does will typically cause severe damage, up to and including destroying the SoC. While modern motherboards include overcurrent protection, this typically protects against positive voltage. (The difference between positive and negative voltage is a reference to the voltage relative to the ground). If the voltage source is connected to ground by a “-” terminal, the voltage source is positive. If it connects via the “+” terminal, the voltage source is negative.
The company also plans to sell a USB Kill Tester Shield, which it claims will prevent both the USB Kill device from functioning and protect user data from certain kinds of snooping or intrusion if you hook up to an unknown charging station or other device. This kind of intrusion is known as “juice jacking,” though it’s not clear if this attack vector has been widely used in the real world. There’s not much to say about the Kill Tester Shield at the moment — all of the links on the website to the actual product are non-functional as of this writing. Caveat Emptor is good advice in a situation like this.
The larger question, I think, is whether devices like this pose a threat to the average consumer. Right now, I think they don’t. At $5, it’s easy to imagine someone ordering these in bulk and scattering them just to screw with people in general. At $50 each, you probably aren’t going to stumble over a tiny block of death.
At the same time, however, studies have shown that up to 50% of people will cheerfullyplug in a USB drive they found on the ground without taking precautions for what kind of data or malware might be on the drive. If the USB Kill 2.0 is actually shipping in volume, it’s probably a good idea to revisit that tendency — or at least keep an old computer around for testing.