[ALERT] USB Malware and The Kill Stick

Category: Gadgets , Security

Back in August 2014, I wrote about a “Serious Security Flaw In USB Drives.” Short story: it’s possbile to overwrite the firmware of a USB flash drive (or other USB device) so that it injects malware into the host machine when plugged into a USB port. Since anti-malware software can’t check firmware, this type of exploit cannot be detected. And lately, the story has gotten worse. Read on for the scoop on why you should be EXTRA-careful with USB sticks...

BadUSB 2.0 is Coming

For starters, you may want to revisit my article describing the Serious Security Flaw In USB Drives. The vulnerability is not easily fixed because it is inherent in the design of the USB standard. Even if the flaw was fixed today, there would still be billions of potentially dangerous USB devices in circulation.

Plus, there are many USB device makers and each has its own firmware, so fixing this flaw is not as simple as Microsoft issuing a patch for Windows. The entire USB industry would have to draft a new standard, and that takes years. So it hasn’t gotten done, and may never happen.

The discoverers of this USB vulnerability wrote a proof-of-concept malware program called BadUSB. Wisely, they did not release it. But others have taken the BadUSB concept and implemented it in open-source code. In fact, there’s now a pretty sophisticated hardware and software toolkit that might be called BadUSB 2.0.

BadUSB, MalDuino and KillStick

MalDuino is a USB device which emulates a keyboard and has keystroke injection capabilities. It’s based on the Arduino electronic product prototyping platform from which MalDuino takes its name. A “lite” version of MalDuino is small enough to be concealed in a USB drive case. The “elite” version is a bit bigger, and includes a bank of DIP switches that allows the user to select one of several scripts to be injected into the target machine, or to modify the settiings of a single script so that it behaves differently.

Seytonic, the maker of MalDuino, has crowdsourced more than enough funding to start mass-producing the device. While it has legitimate uses, the very name “MalDuino” gives away the real game: making BadUSB-type attacks available even to the technically challenged. Seytonic’s crowdfunding campaign ended in February, 2017. We may see production devices at any time.

New and Improved: The Kill Stick

On a related note, “improvements” have been made to the USB Kill Stick, a terrifying USB drive impersonator that literally destroys any electronic device into which it’s inserted. The Kill Stick conceals capacitors that rapidly charge up from a USB power supply, then discharge all of their electrical energy instantly when plugged in, frying the target’s circuitry. The latest version stores more energy and discharges it at a faster pulse rate - 12 pulses per second - making it even more devastating.

The good news is that an attacker must get his weaponized USB device physically plugged into your computer in order to do harm. If you’re careful about the USB devices you accept, your risk is small. Don’t plug any USB device into your computer that you didn’t remove from its shrinkwrap yourself. Even then, I suppose there’s a tiny chance that a disgruntled employee poisoned the manufacturer’s supply chain. But life is never entirely risk-free.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 6 Apr 2017


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 05 April 2017

The Top Twenty
Next Article:
What Data Does Windows 10 Collect From You?

Most recent comments on "[ALERT] USB Malware and The Kill Stick"

Posted by:

Charley
06 Apr 2017

Regarding the kill stick, someone could make a USB dongle that has protective circuitry in it. You plug your suspicious USB device into the dongle. If the device tries to send out a high powered pulse, it might destroy the dongle but not the computer.

Similarly, I suspect someone could design a USB dongle with its own firmware so that the firmware in the suspect device can't affect the computer.

This would all be a little complex but I believe it would be possible.


Posted by:

Mark Neville
06 Apr 2017

Could a buffer device like a special USB hub be created to block these rogue devices? Why has the industry been sitting on their hands about this since at least 2014?


Posted by:

Kevin
06 Apr 2017

Bottom Line: You have to physically insert the stick into your device for it to do harm. Take that USB stick that you found conveniently lying in the parking lot next to your car and put it in the nearest dumpster. That is a trick that has been used by many hackers--targeting specific companies and organizations by sprinkling infected USB sticks in parking lots.


Posted by:

Jim Lowell
06 Apr 2017

How about a USB stick safety checker? Could one be designed similar to the device RVers use to check polarity, etc on RV-park power sources. Could that charge and discharge the capacitors of the kill stick?


Posted by:

Jim Horn
06 Apr 2017

About a year ago, I plugged a new USG thumb drive into my old laptop. POOF! Nobody could fix it. I now have a new laptop.

Would love to see some sort of a device that we can get to simply use to Test our thumb drives to tell if that is a problem unit or not.


Posted by:

John Shalack
06 Apr 2017

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important!

Back in August 2014, I wrote about a “Serious Security Flaw In USB Drives.” Short story: it’s possbile to...

possbile...?


Posted by:

Mikey
06 Apr 2017

Are there any USB devices (assuming new) that are immune to this dlaw - I am thinking about Ironkey.

Thanks


Posted by:

JDow
06 Apr 2017

Um, how about building a Kill Stick Condom?

Fire up a little sacrificial Rasp Pi or Arduino. Connect sacrificial monitor, keyboard, mouse. Do not plug anything else. And don't use a KVM as an easy monitor switch.

Plug in the suspected Kill Stick. Investigate it. If it blows the sacrificial hardware, you got lucky. You did not fry your real machines. If it doesn't know the sacrificial hardware but otherwise looks a little hinky, toss the suspect USB object and consider that you probably got lucky.

THEN plug it into a real computer. You're still not 100% safe. Condoms aren't perfect. But, you have a better chance of being safe. In other words, keep good backups.

{^_^}


Posted by:

Nezzar
06 Apr 2017

Dear Bob,
Thanks very much for the warning. You do a good job of protecting your readers from the newest electronic evils.
And, ignore comments like that from John.You do a great job on your grammar and such, but nobody is perfect.


Posted by:

Phil
07 Apr 2017

Thank you Bob for the info. and warnings. At my age I'm just about to say "to H... with it" and dig out my old Smith Corona portable and my slide rule from my university years......then sell the 3 PC's in the house. Things are just getting too blasted difficult for my 80 yr. old brain. Don't have patience anymore either.

Keep up your good work.


Posted by:

LadyLiberTEA
07 Apr 2017

Bob, per your instructed Kill Stick safety precaution to use only mfr-pkgd USB sticks we open, I'm wondering if that will be true too for BadUSB disseminated only by miscreants in mfg plants?

My take-aways from your article and the always further illuminating commenters for the best protection now until BadUSB disseminates and the counter condom USB niche is marketed:

1. never use a secondhand stick, and keep track of your own;

2. stock up now on sticks before BadUSB disseminates;

3. as always, keep external backups, System Image, and Recovery disks for if a new stick turns out to be a Kill Stick;

4. be insured for pc replacement especially v. Kill Stick.


Posted by:

GeordieLad
07 Apr 2017

Jim Lowell’s idea sounds good and easy. A low value resistor (rather than a short circuit) between the appropriate pins of a dongle USB socket should do the trick – but which pins? Presumably they would be the data lines but it’s conceivable that the USB power lines could also damage a PC if the rogue capacitor charge voltage is significantly higher than 5 volts. Can anyone elaborate on which lines the killer charge is connected?

Earlier I said “low value resistor” meaning not less than 10 ohms because if the rogue charge happens to be on the power lines, one would not wish to short circuit the PC’s internal 5 volt supply if, for example, the killer dongle could be connected to the PC, however unlikely that might be.

Any further thoughts?


Posted by:

Erasmus
07 Apr 2017

Here in NY, over ten years ago, people were using CDs and DVDs as infection vehicles, leaving them in malls, shopping centers, movie theaters, restaurants, and other places. The high end stuff came in sleeves or even “jewel” cases, even with package inserts and labels. Then, six or seven years ago, people began using USB flash drives the same way. Cheap and inexpensive, especially in bulk, and a very effective form of behavioral exploitation.


Posted by:

David Hakala
07 Apr 2017

Erasmus' tale of infected CDs reminds me of rap "artists" who try to give away their homemade CDs to every passerby. Would make a good disguise for a malware distributor. "Hey, free music!"


Posted by:

Frank Delphy
07 Apr 2017

You should be ashamed with your freaking [ALERT] and [WARNING] crap. You scare people for no valid reason other than to make yourself look like some kind of expert. Most of this was copied from other sites, with much less sensationalism. The "Kill Stick" you say that is "new and improved" was "new and improved" over a year ago.

You don't have the cajones to allow this comment to be published. It would expose you for the fraud you are; your newsletter is the "National Enquirer" of phony tech newsletters.

You should be ashamed. You write for your little minions who actually believe what you write.



Posted by:

S.D. Card
08 Apr 2017

How about using a memory card in a card reader instead of a flash drive?


Posted by:

Joe
08 Apr 2017

Thank you for this alert - I've been reading (AND IMPLEMENTING0) a lot of your suggestions and FREE


Posted by:

Joe
08 Apr 2017

Thank you for this alert - I've been reading (and IMPLEMENTING) a lot of your suggestions and free support and most of us don't agree with Frank D. so Keep up the good work.


Posted by:

Gina
10 Apr 2017

I've been looking around because I want to buy that USB kill stick. It would have been nice to use the kill stick to really be sure my old systems data wasn't recoverable before destroying them.

I've recovered complete files from "wiped" hard drives, that kill stick is only as dangerous as the intent of the person using it.


Posted by:

Michael
12 Apr 2017

When did "Frank Delphy" start trolling you, Bob? Maybe he's been around for a while, and I've just missed him? Wonder what his angle is in denigrating you - envy of your longtime online success, a means of making a name for himself in the search engines by coat-tailing your outstanding SERP's, or ??? I'm a longtime follower who finds much of the stuff that you post valuable, or at least interesting, Bob. My only quibble with you is over your pedantic attitude regarding the "proper use of UPPER/lower case". :o))


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.
[an error occurred while processing this directive]


Article information: AskBobRankin -- [ALERT] USB Malware and The Kill Stick (Posted: 6 Apr 2017)
Source: http://askbobrankin.com/alert_usb_malware_and_the_kill_stick.html
Copyright © 2005 - Bob Rankin - All Rights Reserved