Hacker News new | past | comments | ask | show | jobs | submit login
USB Killer (kukuruku.co)
511 points by skazka16 on Mar 10, 2015 | hide | past | web | favorite | 190 comments

Someone joked that this would be useful to ensure people won't randomly plug USB drives into their computers. Sounds insane, except that...

"During a stop-over in Hong Kong, he finds a spare USB key in his hotel room. Curious, he inserts it into his laptop. By the time he arrives in Australia, his computer is infected."[1]

This was the one of the infection vectors for a large flare-up between the Chinese government and a number of Australian based mining companies, all well before the Snowden leaks that have only made the world more complex.

Given the choice between frying an employee's USB / computer (small monetary loss) and allowing trade secrets to fall into the hands of competitors / customers (large monetary loss), it's not crazy to opt for the former.

Standard practice has even gone further. A colleague of mine purchases fresh laptops for when he goes overseas and then never uses them again. He doesn't even work in an industry where commercial secrets are common. I'd hope that anywhere that features security implications or commercial secrets would also act at this level.

Perhaps an innocuous version of this, which starts a high pitch whistle, would be useful in a corporate environment. Less destructive but resulting in the the same security awareness.

[1]: http://www.abc.net.au/4corners/special_eds/20100419/cyber/

A standard procedure in somewhat-security-concerned firms is that when you travel, you go and get a freshly installed travel laptop (a loaner) from IT dept, use it on the trip, and after the trip, you return it to the department that wipes out everything on the disk and re-images it.

This wouldn't protect against things like firmware-based malware, attacks that major three-letter spy agencies could deploy when they focus on a target, but because there is no absolute security and measures need to be balanced to the threat scenario, this is a model that works pretty well.

>A colleague of mine purchases fresh laptops for when he goes overseas and then never uses them again. He doesn't even work in an industry where commercial secrets are common. I'd hope that anywhere that features security implications or commercial secrets would also act at this level.

IMO that's an overkill. Why not just use ICloak [1] or Tails [2]? They are both Linux distributions which boot from USB stick without touching hard drive, randomize MAC address and give you access to Tor and other goodies.

[1]: https://icloak.org/

[2]: https://tails.boum.org/

Customs officals are agents of another, sometimes hostile, power.

If your risk assessment says you're worried about AoHPs then you can't trust your computer after they've had it in their possession.

What are "AoHPs"?

Never heard the term, but by context I would guess "Attack on Hardware Platform" or some such.

I think the bigger concern (which has been backed up by recent research) is that there are vulnerabilities in the hardware that might be exploited to install malicious software. If that software lives in a BIOS or a hard disk firmware wiping your hard disk will not protect you.

That model may not always work well. At least one country I know of interviews you at your point of departure as to whether your IT department has recently had your laptop in their possession.

Sure they may interview, but how does that make the model not work? The answer is going to be the same every time: of course my laptop is regularly in the possession of the IT support organisation.

> Someone joked that this would be useful to ensure people won't randomly plug USB drives into their computers. Sounds insane, except that...

Hey, didn't an article on USB dead drops get posted yesterday?

> Given the choice between frying an employee's USB / computer (small monetary loss)

That's a good way to start a fire and have a _large_ monetary loss on your hands.

I seriously doubt that you could manage to start a fire from the device in question.

First the total power of the USB port is ~2,5W on average and given the constraints of the device in terms of size (~ a normal USB thumb drive) you cannot realistically store this more than a second or so (e.g. 100V in 1000µF is only 10 Ws).

With 2.5W you can make things hot to touch, but for igniting anything flamable, you'd have to design some thermally decoupled element to dissipate the power, and get glowing hot (e.g. a small coil of resistance wire in a car's cigarette lighter). Unfortunately devices on a PCB are normally very well thermally coupled to said PCB, so the energy spreads fast limiting the temperature of the individual components. Also things on a PCB tend to break at much lower temperatures than what you'd need to ignite anything. Also they will already desolder themselves at ~200 degC.

When I read some of that stuff back in 2010 I was curious why some of the targets didn't try to understand how they were compromised and then publish the details. Especially attacks with such an, errr, tangible vector of infection.

Clearly some attacks are quite stealthy and difficult to characterize, but some are not, and in the 2010-era reporting about Chinese computer espionage against travelers to China many targets seemed to believe that they had confirmed the compromises.

So people could have taken a computer with some extra sensors or logging processes, a different OS than usual, and then publish the results, helping defend similarly situated others, including their own coworkers. If they believe the attacks are pervasive today, they could do this today.

Another option would be to just tell them and not play games with them.

Whilst an option, I feel it's a bad one if security is actually a priority.

Having worked at companies who actually have a high level concern over computer security, telling someone simply isn't enough. Being told is passive. Passive defence and active defence are two entirely different states of mind. Defending against an attack needs to be active and instinctual. Every time you open, close, or set down your laptop, a small part of your brain should be thinking about it. In computer security, a single failure is enough to lose control, so it's useful to have an environment that reflects that.

A simple example is being told to keep your terminal locked. This is a common rule for most workplaces but is usually met with dismal failure. One of the companies I worked at actually made a game out of leaving your terminal unlocked. I can tell you, after a few days of your colleagues kindly laughing at you returning to a screen full of Internet memes, you instinctively Ctrl + L upon standing up, even if it's to walk to the windows to look at the view.

Why is it important I lock the screen even if standing a metre away? My friend walks by whilst I'm staring at the view and invites me to [coffee|walk|game|X]. Security has already left your mind and you head off to do [X], leaving your terminal unlocked. Even worse, your screen might auto-lock in a few minutes, giving you a false sense of security when you return. Even if it was unlocked when you returned, you'd likely get back to work, not realizing your error.

Making security a game is a good way of instilling the practice. Colleagues make for cunning adversaries and make you actively defend yourself. This defence is useful against both pretend threats and real ones. Wargames are wargames for a reason.

> One of the companies I worked at actually made a game out of leaving your terminal unlocked. I can tell you, after a few days of your colleagues kindly laughing at you returning to a screen full of Internet memes, you instinctively Ctrl + L upon standing up, even if it's to walk to the windows to look at the view.

This was unofficial but standard practice at a support center I once worked at. It was a terrible work environment for other reasons, but individual computer security was great because the new guys very rapidly learned that leaving a computer unlocked left you a prime target for background changes, YTMND pages hidden behind other windows, the Dell ctrl+alt+up thing, etc.

A guy in my previous work came to me for help, we did some remote desktop to his machine from mine, only to find a big dick drawn in ms paint by someone... kind of funny, but the guy was a bit shocked and felt embarrased, not knowing what to do I simply ignored it as nothing has happened.

I lock my computer, but on top of that, I run a bluetooth proximity locker, just to cover my ass when I'm not standing by my computer. :)

Won't work.

If they can install they will and it will continue until someone starts firing people over it.

If they cannot install, prepare to get scolded when they cannot install fileshare clients, flash games, "codecs", -you name it: they'll install it if there is even the slightest chance it will let them watch something they wouldn't be able to watch without.

I sometimes have an image inside my head what it would be like if chefs would be like office workers in this regard: sharing their knives with friends and family, drag their knives into the garden, use them to poke in the sink, stir the paint etc.

Best comment from the page: "It needs to have en eInk display to say 128, 129"

Such yes.


I was walking past a tall wooden fence the other day, you know the kind you see outside a building site. As I walked along beside it I heard chanting coming from behind the fence further up... they were chanting numbers, or rather just one number. "Thirteen, thirteen, thirteen, thirteen, ..." they excitedly chanted. It sounded like a small crowd, young and old; men, women and children. All of them saying the same number over and over. As I approached I saw a small hole in the fence just big enough to look through. The hole was right where the sound appeared to be originating from. So, with the crowd continuing to chant "... thirteen, thirteen, thirteen, thirteen" and it seeming to become more intense as I leaned down to place my eye at the hole and work out WTF was happening in there. Just as I put my eye to the hole a small finger like that of a child poked me in the eye and the crowd stared cheered loudly and started chanting again.. "Fourteen, fourteen, fourteen..."

Someone was waving a bunch of newspapers and yelling "extra! extra! 50 people scammed! extra! extra!".

I went over and bought one. I looked inside, there was nothing about any scam.

Then I hear "extra! extra! 51 people scammed! extra! extra!".

It would be cool to create a version of this that just sounded a really, really loud siren. Then you could leave it lying around the office, and listen out for the bunnies.

Yours is the 2015 version of the 1980s-era DOS app that displayed a fake word processor UI with the top portion of a fake but intriguing letter visible. You would leave this app running and then leave for lunch. An office snoop would see the fake letter and want to read more, then press a key to scroll down, which would activate a siren sound on the PC speaker and display some silly "you're busted" message on the screen.

Especially if it used capacitors or an onboard battery to keep the siren going when someone inevitably yanks it out quickly :)

and of course label it "boss name personal"

On that note, using it as a pentesting device could be interesting. Perhaps just use the "beep" so the auditor can see how many people trust putting anything into their PC, then at the end cite USB killer.

"loosing" USB sticks with a trojan that just phones home and deletes itself seems to be the usual way to do that in pentests.

interesting, didn't know that. see what happens people come up with innovative ideas all the time and have no idea they already exist!

I tried to do one better with a small flyback transformer.


Turns out there's not enough clearance in USB ports for tens of thousands of volts.

Nice! But I'm guessing you wouldn't be able to fit that into a size that's comparable with standard USB drive?

Possible at a pinch, the flyback I was using right there was about the size of a walnut. You could lay most of it out flat with the voltage multiplier and encase the whole thing in epoxy for (ha) safety.

I really wanted to go much higher with the voltages, but the amount of noise this thing puts out de-focuses the camera.

You could fit one into a portable hard drive case, though. Presumably along with an electric motor to make the appropriate noises when whoever you really don't like tries to plug it into their laptop.

Could you share the circuit diagram? I am intrigued.

Reminds me of a story I heard many years ago. UK power plugs have three prongs to include earth. If you rewire earth, live and neutral AND alter the plug wall socket to match, then all is well, but if someone steals your PC then plugs it in using a standard wall socket then ouch.

When my grandparents died and we sold their house (in the uk) we had some builders in to tidy up some stuff and they discovered that in a big part of the house the earth was actually wired to live in the sockets. They'd lived with it for 40 years or something. Guess not many devices actually use the earth.

(The wiring was originally done by my grandad'a brother - use a professional people...)

If you're not going to do it professionally, at least use one of these:


(that's US wiring but surely there's a UK equivalent)

Nothing wrong with that device, but it's also nice to know about its big brother:


This tester can simulate a 10A or 15A load and measure voltage drop, which should remain within 5% of its unloaded value (this is the recommendation in U.S. code). This can identify situations where connections are weak, or wires are too long or too thin.

It has also helped me to improve my wiring practices. It turns out that keeping voltage within 5%, under a 15A load on a 20A circuit, is pretty demanding, and a series of (say) 8 or 10 twisted connections may not meet it, if you are not careful with your technique.

The device can also test GFCI outlets by allowing some current to leak to ground. This provides an end-to-end test in situations where the GFCI is not present at the outlet.

I've found earth and live wires mixed in 2 different houses I've lived in. Programmers are not the only ones that do shoddy work :)

I lived in a place where someone managed to swap wires at one of the switchboards. There was no ground (not that uncommon), so the supposed 0 was wired to the ground at the sockets (that's what you should do). What it means with German/French-combo style socket is that phase (+/-230V AC) was wired to metal parts sticking out of a socket or any grounded appliance plugged in.

Everything plugged into affected sockets seemed to work just fine. Even a desktop computer + monitor. We only found out because roommate was getting electric shocks from the metal PC casing.

I used to work in a school where students reported electric shocks from the laptop computers. The "electrician" came and unbelievably, wrapped a wire round the earth pin of a plug, and bolted the other end to a desk. Apparently it solved the electric shock problem which I guess was static.

Or, if you end up forgetting about it or your s.o. moves the laptop from your desk to the other side of the room...

The original story actually relates to a computer running a BBS back in the 90's. The plugs were duck taped to sockets and signs more or less read "do not unplug... ever".

When the place was raided by the police and the computer confiscated, the fun and games began.

The computer was never returned.

UK power plugs also require a fuse, which I believe is not mandatory anywhere else.

They're ugly as hell, and insanely painful if you tread on them, but UK plugs are a bastion of good engineering.

Things like not being able to stick things into the line/neutral holes unless the ground pin (which is longer) is inserted make them very safe, and the plastic lower part of the line/neutral pins to stop you accidentally touching something that will have current running through it until the plug is safely inserted is inspired.

I know Britons love their plugs, and I have never quite understood why. They look brutish, clunky and over-engineered. The opposite of elegant.

The reason why they have fuses is so you can use ring circuits, which saves copper compared to the usual radial wiring. So its just about saving a little money.

Everyone now gets to state his favourite plug type. Bring it on!

Mine is the swiss Type J (http://www.worldstandards.eu/electricity/plugs-and-sockets/j...). Its safe, not an eyesore and very space efficient. Its safe against voltage reversal, usually has a protective shroud and the ground pin is contacting first. Well engineered, very swiss like.

Does anyone actually care that their plugs are elegant? In any case, your Type J is missing the fact that in the UK, the cables point down towards the floor rather than sticking out, keeping them flush with the wall and often allowing you to hide the plugs behind things.

> Does anyone actually care that their plugs are elegant?

Some people do, I think its an expression of culture. Its hard not to notice that the swiss and the nordic countries (especially Sweden and Norway) value a certain aesthetics. This expresses itself in many things, ranging from architecture to product design, art and the design of public spaces.

There is a reason swiss typography was big, and why nordic design is appreciated all over the world. It could only emerge from these cultural surroundings, its a mindset.

That plug is an expression of british engineering values. Its certainly a very well designed plug, but I also believe the reason why swiss and nordic products are more popular than british ones is that they are made with a different approach.

Probably those same values are also the reason why british music is so great, and why swiss music is... oh well, have you ever listened to mundart-rock? So I'm not saying X is better than Y, there are trade-offs involved.

"why swiss music is... oh well..."

Reminds me of a favorite recording of Dizzy Gillespie playing with his band at Montreux. It's a pretty reserved audience, and Dizzy, who was renowned for having a lively interchange with his audiences, said while introducing vibe player Milt Jackson:

"So far, you are a typical Swiss audience. Of course, a Swiss audience might not be the greatest audience in the world. But they will do until the real thing comes along."

The last was said mirthfully, pausing to emphasize each word, and the audience chuckles good-naturedly, knowing their limitations.

You're aware that's not real, right?

Uh, of course I am... now. I wasn't.

Swiss person here. The total length of the "plug" part of a swiss plug is actually roundabout the same as the width of a british plug. They fit just fine behind couches, shelves, etc.

And as seen here (http://www.worldstandards.eu/electricity/plugs-and-sockets/j...) the socket is indented into the wall so less of the cable protrudes beyond the flat surface of the wall.

That's not always the case - but it frequently is, and yes, does make the direction of the cable even less of an issue!

of course. Did you miss the article yesterday about Macbook going with USB-C? Apple has made bank on just getting people to buy better plugs and cables (USB, Magsafe, Lightning connector, etc.). People also spend tons of money to hide cables when mounting TV screens.

Better is a different thing from elegant, though.

Part of the niceness of the UK plug is that if you pull the cable right out of the housing, the internals disconnect in the safest order. The plug comparison sites I've found don't discuss the internals of the plugs much; does anyone know how other plug types approach this (or do they just ignore it)?

Looking at plugs, I suspect that many get round this by making the housing of the plug much more firmly attached to the cable.

They don't ignore it; Schuko (CEE 7/3) plugs also keep earth connected while live and neutral pins are pulled out. Same is true for the French (CEE 7/5) and Danish (107-2-D1) designs.

That's when you pull the plug out of the socket.

OP is talking about the failure mode when you pull the cable out of the plug - the live and neutral cables are shorter and tighter and will fail first, leaving the earth wire to fail last.

I didn't quite understand the whole concept. The idea in Schuko plugs is that you cannot pull the cable out of the plug. It's totally fixed (either inside solid plastic, or attached with a strain relief that fixes it).

edit: now that I think of it, Schuko plugs of the install-yourself kind where you can attach cable with a screwdriver (not solid plastic with the cable) are done so that the earth cable is longer than L/N are inside the casing.

So are the British plugs. Perhaps pulling the cord out should be called an extreme failure mode?

(It was probably more useful 20 or more years ago, before moulded plugs were common.)

Most combination Schuko/French plugs I've seen recently are even designed in such way that when all wires are same length then the PE one has larger slack inside the plug.

Right, that's what I meant (i.e. the earth wire sticking out of cable end is "unnecessary long" if it is the same length as L/N).

However, it is very unusual if the cable comes loose from the plug casing.

I'm not really a plug fan, but I did find this interesting! https://www.youtube.com/watch?v=UEfP1OKKz_Q

It is, thanks - I didn't know about the additional leeway of the ground cable thats there by design, simple but smart.

I think they're elegant. The cable points downwards rather than just outwards like most others (US/EU). They have a nice finished edge that's easy to grip rather than a moulded piece of angled plastic.

EU plugs also come in variants that point downwards, without sticking out 3 extra centimeters.

See http://www.netonnet.se/ItemImages/koppla-och-anslut/el/el-ka... and http://media.conrad.com/medias/global/ce/9000_9999/9400/9440... The first one there is the most common plug here actually.

Norwegian plugs must be the UK plug's arch enemy, not grounded until the very last, 2 pins (the ground is on either side of the casing) and the sockets are at 0, 45 or 90 degrees (leading directly to exclamations of "Fuuck!" from this Brit.

What fuse/circuit breaker do you put in the fuse panel with radial wiring? It's got to cope with the largest appliance you'll put on that circuit. With British plugs, a low-current device such as a lamp should have a 3 amp fuse, so it blows before the thinner 5A-rated wiring to the lamp melts.

The problem with British plugs though is the rectangular pins. Mechanically, it's simpler to get a good large contact surface area with a circular pin in a circular socket. You do sometimes come across UK sockets which have been slightly damaged and get hot because the contact resistance is no longer negligible.

You're right. We should change an established, proven design to make it prettier. I don't understand why it's taken so long for someone to speak out. Stop the presses!

You're right, when MrBuddyCasino said "I think this design is better than that design", he clearly meant "we should get rid of that design".

Chinese win. Hands down. You can plug nearly anything in to them. http://imgur.com/dgT2mjk

Of course, there's no guarantee what your reward will be, and they maybe aren't the safest.

Very rarely, I miss having reaction faces on HN. Here is a Chinese wall socket, quite a looker:


Very safe theoretically, but in practice (with Malaysian UK-type plugs, full disclosure) I've seen people casually shove pens and even metal spoons in the ground to force the socket to accept their ungrounded laptop plug.

I have done that, when I was young and stupid and didn't have a UK compatible plug. I have also witnessed a many people doing it.

You can also trick it by doing a sort of dance with te plug where you partially force in the ground, then one live, then you spin it and put the other one in.

The day we have USB wall sockets can't come soon enough.

Eh, USB carries data, not just power. I don't trust any USB socket that I don't control.

Use a charge-only cable.

I would have to tell my phone not to believe everything some house computer (on Earth or Bespin) tells it. At least with USB, my phone is less likely to mistake the power plug for the data plug, because it's all the same.

> Things like not being able to stick things into the line/neutral holes unless the ground pin (which is longer) is inserted make them very safe, and the plastic lower part of the line/neutral pins to stop you accidentally touching something that will have current running through it until the plug is safely inserted is inspired.

Same in Australia, of course you can still go off an buy and Apple Laptop charger with no ground.

I don't know why you singled out the MacBook charger.

The relevant Australian Standard (AS/NZ 3820, I think?) tells you an electrical appliance doesn't need to have an earth pin if it's double insulated, which the MacBook charger, and the stick blender in my kitchen, amongst others, are.

Source: I'm certified for Electrical Test & Tag in Australia.

They are however no safer than Schuko plugs, which are significantly less annoying.

We used to use Schuko plugs here in Ireland, but switched to type G plugs for convenience and trade reasons back in the '60s. I think my grandparents' house still had some Schuko sockets about the place.

Personally, I'm not too bothered either way. I don't find either any more or less annoying as they're both pretty bulky, unless you're using Europlugs, which lack most of the benefits of Schuko plugs.

Still nothing compares in its awfulness to North American plugs. Aussie plugs are similar, but they had the good sense to tilt the prongs at an angle to give the plug better mechanical stability.

I consider Schuko plugs to fall somewhere between the british and the swiss plug. It certainly is a little too big for what it does, and also hard to unplug. That 16A rating is nice, though.

Schuko plugs are a pain in the ass, because more often then not they require brute force to unplug them (or even just plug them in). Also doesn't help the lifespan of powerstrips.

Being able to plug them in ungrounded Euro sockets is handy, but also makes them less safe.

This is because Post-WW2 UK houses were wired as one giant ring circuit, while in the rest of the world there generally was a fuseboard with every fused circuit connected to a few sockets. This saves wire (copper) but requires every plug to have a fuse.

I do not now if modern UK homes are still wired like this.

In modern times the individual fuse still makes it safer, but it is also one of the reasons UK plugs are so large and clunky.

They definitely shouldn't be.... IANA electrician, but as far as I am aware UK regulations require separate power and lighting circuits and a proper distribution board with RCBs.

And while our plugs may be clunky, I kind of prefer them to the wobbly, spark emitting two-pin plugs that I seem to come across in the US...

Obviously the US plugs are the worst, but thats the price for being the first. PAL was better than NTSC, too.

Being first is no excuse! Britain (and empire) used to use an older design, the current design was introduced in 1947.

India (and other places) still use the older standard, BS 546. That's also used for things like theatre lighting in the UK.

They needn't have been so bad: one small change--tilting the pins at an angle--and they could've been mechanically sound like Aussie ones.

NEMA 5-20 is exactly that. It's somewhat less common, due to the fact that it implies a 20 amp supply. Most plugs and sockets use the 15 amp version.

Aussie plugs are more like NEMA 11 plugs: the prongs are angled to form two sides of a triangle.

You mean NEMA 10?[0] All I can dig up for NEMA 11 are motors.

[0] https://en.wikipedia.org/wiki/NEMA_connector#NEMA_10

You are indeed correct.

I'm not sure the order these were conceived, but it may be that there was already a plug with a similar configuration.


That's some panoply of configurations! It's a pity the most common configuration is the worst of them.

I once encountered a computer that was the opposite of this; plug any USB device into it, and the device would never work again, even in another computer.

We had that recently with FTDI releasing driver update that would instantly brick any device using a counterfeit chip. Which means a lot of devices got bricked, as the manufacturers like to save money...


My computer seems to be doing that on a random basis. I think I should worry.

At work, I encountered a HD which fried SATA ports. If you plugged that HD in a SATA port of another computer, that SATA port didn't work anymore. I don't know if the HD had been damaged by the computer it was originally from, but we didn't use both that HD and that computer anymore.

There have been other stories of "contagious" hardware damage in the past, like the infamous ZIP drive "click of death", but that HD is the first one I've seen personally.

Just had that with a SATA SSD - looks like it had a power bus short and it blew a chip (dual FETs) on the caddy backplane. Lots of smoke.

Usual story: replacement part is about £0.50 and I could replace it in the lab, but postage for one part is £4.

Might see if I can get one as a sample, or from the Far East with 'free shipping'.

Many moons ago, I worked in the education sector and some smart kid ran a paper stapler up a keyboard lead, leaving it full of metal staples. The power short blew an axial fuse on the motherboard. The next user encountered a 'dead keyboard', so they swapped it for the one on the next desk..repeat 6 times before someone realised the fault was travelling with the keyboard...

This reminds me of the Etherkiller page (sending 120 volt to various devices: NICs, HDDs...): http://www.fiftythree.org/etherkiller/

The bus killer on this page is a real work of art, if I remember correctly it kills PCI/AGP/ISA using card covers! (website was down when I clicked)

This gave me a really good chuckle.

Reminds me of one my favorite "Bastard Operator From Hell" stories: http://www.chinet.com/html/bofh/tradeshow.html

Turns out this is a very old idea. :-)

Haha very witty. Such a cynical outlook on life and people in that article.

Most definitely. There's a whole series of them: http://bofh.ntk.net/BOFH/

If you're feeling ornery,you could fly with one in your hand luggage.

If the TSA or foreign equivalent border security want to scan your devices, it's their look-out.

And then you will probably be charged with trying to hack the U.S. Government and get like 1000 years of Guantanamo time.

Jokes aside... it would be interesting to see what would happen if someone had such nerve.

Use a sharpie to draw a skull and crossbones on one side; on the other, write DANGER.

When they ask you to hand over all personal electronics, point to it and say "that's dangerous".

If, subsequently, they want to know why you were carrying it ... it was so you could fry the USB port of your own laptop if you thought someone had snuck some hardware-level malware into it.

If you tell them NOT TO DO IT and they go ahead and do it, I find it hard to see how a court could convict you of wilfully damaging their forensic equipment.

(To the extent there's any social engineering involved, it simply relies on the tendency of police to ignore or discount unsolicited information from members of the public who are under suspicion.)

Note that they won't be sticking the device in a laptop or desktop PC; specialist forensic imaging machines are used by law enforcement to duplicate data storage devices and maintain a legal chain of evidence. Oops.

This - I'm suprised this isn't the highest voted comment here. Let me buy this, I'll keep a few in my travel bag.

The worst suggestion in the world: make one of these look like one of those USB dead-drops.

I think it's the best idea ever. I mean, seriously, with all those USB-based attack vectors do anyone thinks plugging your computer to a random USB port sticking out of a wall is a good idea?

It's kind of a snide thing to do, though; every physical interchange medium, or object you might put in proximity to your computer, has physical attack vectors. Optical disks can be weakened so as to become shrapnel inside a disk drive. Magnetic tapes can be replaced with sandpaper and scratch the reader to death. Any cassette media (e.g. floppy disks) can simply be filled with glue—or, better yet, contain a small explosive.

So, there's nothing about USB that makes people especially deserving of punishment if they go using strange ones; there's a base level of societal trust required for the abstraction of a "side-effect-free data storage object" to exist in the first place.

To say otherwise is similar to purposefully driving the wrong way down the road and getting into a 28-car pile-up, and then saying that this is a lesson in how cars are inherently dangerous and people should avoid driving near strangers. The security mindset can only make you so safe; at some point, you have to trust that strangers aren't trying to kill you in order to be able to live your life.

(Though, in this case, you could just avoid all physical peripherals and ask the person to email you the file instead. At least all you can get from that is a virus.)

It's not like that. USB drives are a popular vector for transfering malware both ways. Which means a perfectly good dead drop can become infected when someone who didn't know he had malware plugs his computer in. USB dead drops are not like cars - they're like a bottle of juice chained to a wall, that anyone can drink from and refill it with whatever they want. You don't have to assume malice to expect such a bottle to be a health risk - not everyone who deposits a disease knows he is ill.

Of course I'm joking with my approval for installing boobytrapped dead drops - but the point is, connecting to a random thumbdrive sticking out of a wall sounds like a dumbest computer-related idea ever.

I bet you could get a few thousand of these made for like 10 grand? I'm glad people who just want to cause mayhem aren't competent.

There are straight up isolators, like ADUM4160. For USB2, they're limited to 12mbit/sec though, because USB2 has a single bidirectional (terrible) data line.

Also USB1.1 is (for the most part of the data transmission) differential and bidirectional.



I've often wondered what percentage of those dirt-cheap UBS devices sold on eBay are actually trojan horses. Provide a basic functional USB hub at a cut-rate price, but exploit the access to your customer's PC for nefarious purposes. Seems like an easy crime to perpetrate.

This is just one of many reasons why you should not ever stick unknown things in your healthy ports (or your healthy things in unknown ports). Not without protection. Safety first. But I'm a firm believer that people should be able to consent to this kind of behavior if they really wish to.

So how do we make it absolutely safe?

Can a simple device be created that we can plug any USB into and simply receive an indication its safe and its capacity? How hard can this be?

I'd love something that protects against this, as well as BadUsb.

I've often wondered if there was some condom-like* attachment available that acted as a go-between for the USB port and a connected device that would prevent/mitigate some of the issues with sticking unknown devices into ports.

* There is a device called a 'USB Condom' but it's only for charging purposes, and completely restricts data access.

There are USB opto-isolators, rated for various large voltages/wattages, which basically accomplish this.

The problem is that a stick that you bought is something unknown.

In principle, nothing outside pure mathematics is certain. In practice, a USB stick you ordered from Amazon and just took out of its packaging is far less likely to carry a virus than one you just found lying around.

Cheeky. Are USB condoms really worth it? And do they have any that prevent excess current? (I really like sticking things into ports.)

One could give these out to activists around the world, they seem to be always at risk of getting their electronic devices confiscated by law enforcement.

Women who carry mace might also welcome one of these in their handbags. Or people who keep getting inspected at airports. I'm sure there's a market.

I can already see the marketing slogan: "Stick it to the man" :)

Stick it anyone who uses your things without permission.

They have it bad enough already without adding felony charges for destruction of government property.

What about putting it in a plastic bag, with big sticker - "DO NOT PLUG THIS INTO ANY DEVICE. " :)

You could even print a disclaimer using bold red letters onto the device itself, people would probably just want to plug it in even more.

If you use a USB hub, would both it and your computer get cooked, or just the USB hub?

Depends on how lucky you are, there's no specific protection for something like this.

Last year, I found a usb key on the ground, almost busted, still I'm too curious to know what's in it so I bring it home. Plug it in, then I learn a little more about the USB protocol as the kernel notifies me there's an "Over-current condition on port 3", just before a tiny bit of smoke emerges from the key.

I would like to see this device on kickstarter :)

It's a USB blotto box: http://cd.textfiles.com/group42/ANARCHY/COOKBOOK/BLOTBOX.HTM

The old school version required a portable generator. Miniaturization at its finest!

The potential damage this implies is ridiculous.

Looks like I'm stocking up on Raspberry Pi-s to deal with my curiosity from now on...

This is so not cool.

Why? Sounds like a way to increase security awareness. Although, I suppose a huge blaring alarm might do just as well. Leave them around your office/parking lot and see who uses them. Then have a chat. Better they plug in a bad device you control vs one carrying a truly malicious payload. (Probably a good idea to attempt to phish employees, too.)

"Oh, look, someone lost a usb stick. Perhaps I can return it to them if I can identify something on it. Oh, it's just done over a thousand dollars damage to me, plus destroyed everything I have done on this computer". I've not found a lost USB stick, but I have found lost wallets and returned them. Thank god they weren't trapped because some dickhead thought it was a good way to 'teach the public in general a lesson'.

Besides, pretty much anything can be characterised as "a way" to increase security awareness, up to and including murder of the victim. The victim's friends and family will be a lot more wary of whatever did the murder - the goal of 'security awareness' has been increased. But "a way" is not the same as "a good way".

Yeah, and randomly hitting people in the head with a bat is a great way to increase concussion awareness, right?

Deciding to put a stranger-USB device in your computer is a thing you do, and decided to do. Getting hit in the head with a bat isn't.

"I'm not a lawyer" etc., but I'm pretty sure that, in many if not most nations with a broadly Western judicial system, the deliberate planting of this device with the intention of causing harm will be illegal. It doesn't matter if the poor fool plugs it in: you knew what would happen. Furthermore it's arguably true that you intended it to happen. Therefore, you're a dick and you're at fault.

No, but it's a great way to increase "don't stick your head where it shouldn't be" awareness!

I dunno, making an innocent-looking object do something dangerous is "not cool" for non-technical items as well.

Say you replace the contents of one of those bright-coloured sticky sweet liquors with a similarly-coloured cleaning fluid? Then leave it in your liquor cabinet, "to teach people to not touch your stuff". I'm not even sure that's legal.

I once heard a story of someone storing their concentrated GHB (a drug, clear liquid), in a vodka bottle. If someone had accidentally poured themselves a shot of that, the consequences would have been pretty bad.

On a similar note, I'm not sure about the US, but in the Netherlands, it's actually illegal to booby-trap your own home. If an intruder gets hurt, you're liable. I don't think this law exists to protect burglars, but instead it is to protect well-intentioned unlucky people from "accidents" caused by terrible and idiotic "security" measures.

Makes me think about the car-alarm in Snow Crash, which delivered a fatal several thousand volts to whoever tried to open it without a key (or maybe it was a flame-thrower, I forgot).

Re: "If an intruder gets hurt, you're liable."


This is called the Castle doctrine, and in the US it varies on a state-by-state basis. I'm not sure if it would cover "booby-traps" or not, since technically you are protecting yourself from an intruder.


That does not cover booby traps, which are illegal everywhere in the US AFAIK.

> Better they plug in a bad device you control vs one carrying a truly malicious payload.

In this case the bad device you control is a truly malicious payload whose damage can be measured in dollars.

Using a usb rubber ducky to take over their computer and write an email to yourself, saying something to the effect that "I was stupid and plugged a random usb key into my work machine" would be much better.

I'd wager that in the US, that would actually be a bigger crime than merely burning out a computer.

There are better ways to increase security awareness than to destroy people's computers.

Well it depends. If you use it for malicious purposes, then yes it is not cool. But if you use it for science, then it's a bit different. I have a spare laptop that is garbage and would love to see what would happen.

I was thinking more along the line of using a raspberry pi personally.

I would like a version that has small GPS receiver and can sends SMS with location information when plugged in. It should works otherwise just like normal USB. (could be the size of USB HDD for example).

Well at least the new MacBook won't have a problem with this device.

The machine will become a $2k paperweight if that port is rendered unusable.

Complete opposite.

Won't even be able to charge it after anything happen to that port.

I made a list of other way usb can be evil: http://www.jefftk.com/p/malicious-usb-sticks

Build this into a DeadDrop (seen on HN yesterday) for added fun.

I believe the original is the Etherkiller:


I understand the concept of the article, a USB device that will fry your laptop by charging and applying high voltage.

But I don't understand the excerpt about the guy writing number 129 on a USB stick and stuff. Why would he plug it in his laptop if he knew it would burn it? And if it was intential, aren't there easier ways to burn it? Thanks for explaining...

He didn't know. After it burnt his laptop, he decided to pass it on and make it easy for somebody to steal the key and burn their laptop.

I see. Thanks!

Highly unlikely that 129 people in a row respond like that though...

More likely is that someone destroys the USB device in anger, dismantles it, is too shocked to do anything, doesn't interpret the number as a counter, or doesn't want to ruin other people's computer. And, of course, that many people in a row stealing a USB device from a backpack is already unlikely in itself.

Yeah it would have been clearer if he didn't use a power of 2 for his counter's current state. Made me think it had to do with the device's storage capacity.

I'm assuming the original story was actually told as a joke, where the "128" number was intentionally misleading until the punchline at the end where he incremented the number and "payed it forward".

This immediately reminded me of the slightly infamous and almost certainly apocryphal "box" of the phreaking era for supposedly overloading and destroying your adversary's phone, or even taking down the local POTS switch. It was called a urine box most commonly, or sometimes a copper box or assassin box if I recall correctly.

This [1] seems to indicate the urine box and the assassin box were actually different, even though they seemed to achieve similar results. I'd be curious to find circuit diagrams.

[1] http://www.aboutphone.info/lib/phreak/boxes-2.html

Aha, that also reminded me of my favorite name for the thing, the Blotto Box.

what about making it a normal usb drive as well. let me explain: when one inserts the drive, one gets asked for a password. if you type the wrong password, the usb drive shows you some fake content, and in the background “burns down” everything it can. if you are the owner and type the right password, you can use the usb drive normally

This is pure evil! (not in a good way)

Pretty cool (and scary!) modern day version of the old anarchist cookbook diskette bombs.

Is there any chance this could be dangerous to the human and not just his device?

If one wanted something dangerous to humans, one could just pack a USB stick full of explosives and use the current from the port as a detonator. I'm sure that's already been thought of before.

Or you could fill it with anthrax. Or dioxygen difluoride. Or chlorine trifluoride. Or Australian spiders. Or African bees.

He's asking because he doesn't want something dangerous to humans. E.g. if someone made these as a prank, and they caused fires and killed people.

I thought I remembered reading something about quite a high profile hack that was carried by infecting computers by people using USB sticks that were strategically left on the floor of a parking lot near their car.

.. worst written article ever

Going to such extend to add a feature to USB which FireWire has built-in. :p

If any USB mouse, USB keyboard or soon also USB charger is a potential laptop annihilator, then maybe it's something wrong with the USB standard.

Well, anything with an electrical connection to anything else is a potential "annihilator" of that latter thing. It's only USB's ubiquity, and its ability to supply significant current to a downstream device, which are capitalized upon here. (The latter, I concede, is useful in implementing a device destroyer, but a small battery could easily enough replace it.)

The security problems with USB are things that need to be fixed.

I think every other non-optical port on your computer is just as susceptible to electrical attack. The only real difference is that USB provides its own power.

This is a human delivery mechanism for a physical attack. You could make a DVI cable that was covertly a water hose, but that's not a DVI problem.

USB exists in the physical world, of course there are going to be physical attacks (i.e. a crapload of current or voltage) that all physical things are subject to.

What if the voltage kills someone? Is it not too dangerous?

Lesson is not to use/touch the USB stuffs not belongs to you. Good moral story for 2nd grader.

Ouch. Not a traditional attack one would expect on a USB port. Would be there any practical protection against this (surge protector, fuse)?

You can buy isolated USB hubs.

Do you think he's tested it?


[meta] Looks like you replied to wrong item.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact