USB Kill: Behind the scenes.
Over the last few days, we've had hundreds of people reach out to us, to ask about our product, our origins, and our thought process.
Background
USB Kill is produced in Hong Kong, by a team of friends and engineers specialising in the conception, production and distribution of security / audit hardware.
As a security firm, we adhere to the tenets of:
- Responsible disclosure, with adequate time to respond
- Not releasing tools publicly will not prevent use against the public (the bad guys will always get the tools anyway)
Development
After the initial USB Killer of 2015 was presented online, several of our clients reached out to us, and we made and distributed several USB Killers privately. We went through three internal versions to before arriving at the version we call "2.0".
One year later, despite the enourmous press coverage that the USB Killer had gathered, our internal testing demonstrated that most consumer-level devices are unprotected; an increasing amount of enterprise-level hardware seems to be hardened.
To this day, according to our testing, the only company that releases hardware protected against a USB power-surge attack is Apple, on their Laptop and Desktop ranges. This means - despite adequate warning, and time to respond - the majority of consumer-level hardware manufacturers choose not to protect their customer's devices. We are disheartend by this lack of respect for customers.
As is standard in the InfoSec industry, we are releasing the USB Kill publically, after one year of disclosure. We hope the attention will force manufacturers to respect a customer's investment in their product, and work to resolve the issue.
Abuse
Inevitably, the subject of abuse has been raised. Similar to responsible disclosure of software vulnerabilities, we beleive that hardware companies have a responsibility to their customers to provide adequately protected hardware. Raising awareness of the problem will force companies to do so. As we've seen - Apple is the only company to do this volunatrily - other manufacturers have apparently made the choice to not protect consumers.
Likewise, the InfoSec community has been demonstrating time after time: Do not plug in unknown hardware to your computer: [1] [2] [3] [4]
This vulnerability has been in the wild for years: education of both fronts, consumer and manufacturer, is necessary.
Individuals have steps immediately available:
- Don't trust unknown hardware
- Use a USB condom [5] [6]
- Physically cap USB ports, similar to covering webcams
As others have mentioned: the vulnerability, like the tool, is a blunt instrument. Like any blunt instrument, it can be used constructively or destructively. Our stand-point: we strictly forbid abusive use of the tool. If someone uses the tool without authorisation against third-party hardware, just like they used any other destructive tool (hammer, brick..) - they expose themselves to full legal liability of their actions. Likewise, the product will not be sold to minors.
So far, we have received an overwhelming support from the InfoSec community, and we hope to use funds from this project to continue developing this and other tools.
[1] https://www.us-cert.gov/ncas/tips/ST08-001
[2] http://time.com/4286467/usb-sticks-security-hackers/
[3] https://en.wikipedia.org/wiki/Juice_jacking
[4] http://usbrubberducky.com/
[5] http://syncstop.com/
[6] https://www.usbkill.com/products/usb-killer-tester
[7] http://www.ebay.com/bhp/usb-dust-cover
Get your own USB Killer
Get your hands on the geek testing gadget that everyone has been after for months today - click here to purchase
Want to see it in action? Check out the product page for the USB Killer for demonstration videos.
Leave a comment: