Tuesday, September 27, 2016

'USB Killer 2.0' Shows That Most USB-Enabled Devices Are Vulnerable To Power Surge Attacks

Last year, a Russian hacker demonstrated a “USB Killer.” Once connected, the USB device sendshigh-voltage negative DC through a USB port until it fries the circuitry of the host device. The device was effective, but it never became commercially available.

USB Killer 2.0

Now, a company from Hong Kong is commercializing both a similar device-frying USB stick called “USB Killer 2.0” and a “USB Killer Test Shield,” which helps to test electronic devices against this type of attack.
The company said it had built its own USB killer (version 1.0) internally about a year ago, as well. Due to popular demand, and after seeing that (with the exception of Apple) no other device maker had built-in protections against this type of attack, it decided to commercialize it.

The Hong Kong company, which prefers to be referenced as USBKill.com to English speakers, also noted that other device makers had one year of warnings that such power surge attacks were possible, and that so far it has acted according to responsible disclosure best practices.
“To this day, according to our testing, the only company that releases hardware protected against a USB power-surge attack is Apple, on their Laptop and Desktop ranges. This means - despite adequate warning, and time to respond - the majority of consumer-level hardware manufacturers choose not to protect their customer's devices. We are disheartened by this lack of respect for customers,” said the Hong Kong company in a recent blog post.
“As is standard in the InfoSec industry, we are releasing the USB Killer 2.0 publicly, after one year of disclosure. We hope the attention will force manufacturers to respect a customer's investment in their product, and work to resolve the issue,” added the company.

How USB Killer 2.0 Works

When plugged into a USB port, a "USB killer" device rapidly charges its capacitors from the USB power source. Then, when it’s charged, it discharges -200V DC over the data lines of the host device. The charge/discharge cycle repeats multiple times per second until you remove the device from the USB port. This technique allows the USB Killer to instantly kill any computer or electronic device that has a USB port.

Device manufacturers can buy the "USB Killer Test Shield" to test their products against this type of attack. The device mimics the output functionality of the USB Killer 2.0 device without frying the host. The USB Killer 2.0 can be purchased for $49.95 USD, while the Test Shield can be had for $13.95 USD (free shipping and 50 percent discount for the Test Shield if you buy the two together).

USB Type-C Authentication

The USB Implementers Forum recently announced a new cryptographic authentication protocol for USB Type-C connectors that would stop unauthorized and uncertified devices from connecting to a computer or smartphone.
Steve Benson from USBKill.com agreed that this could solve the issue, but malicious attackers could still find vulnerabilities in the protocol to bypass it. Also, there’s a much easier solution to protect against power surge attacks:
"From my understanding, this proposal would indeed solve the problem - or at least create an additional hurdle," said Benson.
“Nothing would stop a would-be attacker from duplicating a signature - and I would imagine that it would depend on the implementation. If the host device allows any type of communication via the data lines, this could be vulnerable to a power surge.
The ultimate solution, and that which vendors in the enterprise field (and Apple, in the commercial field) - have implemented - is the humble opto-coupler: a plentifully available, cheap component - made exactly for this purpose,” he added.
The USB Killer attack seems reminiscent of the BadUSB exploit announced in 2014 at Black Hat. BadUSB is a firmware exploit, though, but it also left millions of computers potentially vulnerable because USB sticks don’t tend to be updated or patched against such attacks. Manufacturers could fix the USB Killer attack if they added power surge protections to their USB ports, as Benson suggested.
In the meantime, for the all of the existing computers out there that are vulnerable to USB Killer attacks, Benson suggested that users take these steps to protect themselves:
  • Don't trust unknown hardware
  • Use a USB condom (example)
  • Physically cap USB ports, similar to covering webcams

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...