The Hacker News — Cyber Security, Hacking, Technology News

Remember Killer USB stick?

A proof-of-concept USB prototype that was designed by a Russian researcher, Dark Purple, last year, to effectively destroy sensitive components of a computer when plugged in.

Now, someone has actually created the Killer USB stick that destroys almost anything – such as Laptops, PCs, or televisions – it is plugged into.

A Hong Kong-based technology manufacturer is selling a USB thumb drive called USB Kill 2.0 that can fry any unauthorized computer it's plugged into by introducing a power surge via the USB port. It costs $49.95.

How does USB Kill 2.0 work?

As the company explains, when plugged in, the USB Kill 2.0 stick rapidly charges its capacitors via the USB power supply, and then discharges – all in a matter of seconds.

The USB stick discharges 200 volts DC power over the data lines of the host machine and this charge-and-discharge cycle is repeated several numbers of times in just one second, until the USB Kill stick is removed.

"When tested on computers, the device isn't designed or intended to erase data," the company says. "However, depending on the hardware configuration (SSD [solid-state drive] vs. platter HDD [hard disk drive]), the drive controllers may be damaged to the point that data retrieval is impractical."

"Any public facing USB port should be considered an attack vector," the company says in a news release. "In data security, these ports are often locked down to prevent exfiltration of data or infiltration of malware, but are very often unprotected against electrical attack."

When And For Whom USB KILL Would Be Useful?

USB Kill stick could be a boon for whistleblowers, journalists, activists, and, not to forget, cyber criminals, who want to keep their sensitive data away from law enforcement as well as cyber thieves.

It is like, if you're caught, kill yourself. In the same fashion as terrorists do. Here I mean to kill the data from your laptop if the law enforcement has caught your laptop. And USB Kill stick does the same for you.

However, the company claims to have developed USB Kill 2.0 stick for the sole purpose of allowing companies to test their devices against USB Power Surge attacks and to prevent data theft via "Juice Jacking" attacks.

Video Demonstration

You can watch the video demonstration below by the company that shows USB Kill 2.0 stick in action.


The company claims about 95% of all devices available on the market today are vulnerable to power surge attacks introduced via the USB port.

However, the only devices not vulnerable to USB kill attacks are recent models of Apple's MacBook, which optically isolate the data lines on USB ports.

Juice jacking is a type of cyber attack wherein malware installed on a computer can surreptitiously copy data from a smartphone, tablet or other computers using a USB charging port that doubles as a data connection, typically over USB.

While USB Kill 2.0 has been "designed and tested to be safe," the company warns that the USB stick "is a high-voltage device" and is only meant for "responsible adults." Also, the company's website "strongly condemns the malicious use of its products."

USB Kill 2.0 also comes with a USB Protection Shield, called Test Shield, sold for additional $15.70, which is designed to allow testing of the USB Killer stick without destroying the host machine.

A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems.

In his blog post published today, security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.

Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine.

The attack is possible because most PCs automatically install Plug-and-Play USB devices, meaning "even if a system is locked out, the device [dongle] still gets installed," Fuller explains in his blog post.

"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."

How does the Attack Work?

You might be wondering: Why your computer automatically share Windows credentials with any connected device?

That is because of the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.

The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder, which spoofs the network to intercept hashed credentials and then stored them in an SQLite database.

The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.

Apparently, to conduct this attack, attackers would require physical access to a target computer, so that they can plug in the evil USB Ethernet adapter. However, Fuller says the average time required for a successful attack is just 13 seconds.

You can watch the video demonstration below that shows Fuller's attack in action.
Fuller successfully tested his attack against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 Enterprise and Home (but not Windows 8), as well as OS X El Capitan and OS X Mavericks. He’s also planning to test it against several Linux distros.

Fuller tested the attack with two USB Ethernet dongles: the USB Armory and the Hak5 Turtle. For more detailed explanation, you can head on to his blog post.

Air-gapped computers that are isolated from the Internet or other networks and believed to be the most secure computers on the planet have become a regular target in recent years.

A team of researchers from Ben-Gurion University in Israel has discovered a way to extract sensitive information from air-gapped computers – this time using radio frequency transmissions from USB connectors without any need of specialized hardware mounted on the USB.

Dubbed USBee, the attack is a significant improvement over the NSA-made USB exfiltrator called CottonMouth that was mentioned in a document leaked by former NSA employee Edward Snowden.

Unlike CottonMouth, USBee doesn't require an attacker to smuggle a modified USB device into the facility housing the air-gapped computer being targeted; rather the technique turns USB devices already inside the facility into an RF transmitter with no hardware modification
required.

Must Read: BadUSB Code Released – Turn USB Drives Into Undetectable CyberWeapons.

Moreover, USBee does not involve any implant in USB firmware and drivers to execute the attack.

"We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle," researchers wrote in a research paper published Monday. "Unlike other methods, our method doesn't require any [RF] transmitting hardware since it uses the USB's internal data bus."

The researchers stress the attack method of USBee is solely based on software, though it has to met certain conditions to execute. They are:

• The protected computer must be infected with the malware, most probably, with the help of an insider.
• Any USB device must be plugged into that infected air-gapped computer.
• The attacker has to be near the compromised device, usually at maximum 3-5 meters.

USBee turns the targeted computer's USB ports into mini Radio Frequency (RF) transmitters by modulating the data fed at high-speed to plugged-in devices.

USBee will then send a string of '0' bits to a USB port in such a way that makes the device generate detectable emissions between 240MHz and 480MHz frequencies, according to Mordechai Guri, one of the researchers.

Now, by writing sequences of '0' and '1', attackers can generate a carrier wave from the rapid voltage changes and then use binary frequency shift keying (B-FSK) to encode useful data.

Since the attack is meant to steal binary data, attackers wouldn’t be able to steal any large files, but could get their hands on keys, passwords, and other small bits of sensitive data stored on the targeted computer.

Also Read: How NSA successfully Broke Trillions of Encrypted Connections.

USBee transmits data at about 80 bytes per second, which is fast enough to steal a 4096-bit decryption key in less 10 seconds.
The USBee malware offers ranges of around 9 feet when data is beamed over a USB thumb drive to 26 feet when the USB device uses a short cable that acts as a transmitting antenna.

The researchers' attack method sounds really impressive, but it's still a theoretical attack that can be deployed in real-world scenarios and be effective.

It's not the first time the researchers at Ben-Gurion came up with the technique to target air-gapped computers. Their previous research of hacking air gap computers include:

• DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
• BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
• AirHopper that turns a computer's video card into an FM transmitter to capture keystrokes;
• Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
• GSMem attack that relies on cellular frequencies.

You can watch a short video of the recent attack given above, while more details can be found in the paper [PDF] titled, 'USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB.'

Two Google engineers have developed a draft version of an API called WebUSB that would allow you to connect your USB devices to the Web safely and securely, bypassing the need for native drivers.

WebUSB – developed by Reilly Grant and Ken Rockot – has been introduced to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG), is build to offer a universal platform that could be adopted by browser makers in future versions of their software.

Connecting USB Devices to the Web

WebUSB API allows USB-connected devices, from keyboards, mice, 3D printers and hard drives to complex Internet of Things (IoTs) appliances, to be addressed by Web pages.

The aim is to help hardware manufacturers have their USB devices work on any platform, including Web, without having any need to write native drivers or SDKs for a dedicated platform.

Besides controlling the hardware, a Web page could also install firmware updates as well as perform other essential tasks.

However, the draft API (Application Program Interface) is not meant to be used for transferring files to or from flash drives.

"With this API hardware manufacturers will have the ability to build cross-platform JavaScript SDKs for their devices," Google engineers wrote in the draft project description.

"This will be good for the Web because, instead of waiting for a new kind of device to be popular enough for browsers to provide a specific API, new and innovative hardware can be built for the Web from day one."

Privacy and Security Concerns

The Google engineers also outlined security concerns.

• WebUSB will include origin protections, like a type of the Cross-Origin Resource Sharing (CORS), to restrict the Web pages from requesting data from other domains except the one from where they originate.

This means a Web page could not be able to exploit your USB device to access your PC, or your important files or any files that your computer or the USB device itself may hold.

• To address the issue of USB devices leaking data, WebUSB will always prompt the user to authorize a website or web page in order to detect the presence of a device and connect to it.

For now, the WebUSB is only a draft of a potential specification, which hasn't been officially adopted by W3C. WebUSB remains a work in progress at the current, though you can check out the full WebUSB codebase on GitHub.