This USB stick will fry your computer within seconds

A Russian security researcher known as "Dark Purple" has created a USB stick that contains an unusual payload.

It doesn't install malware or exploit a zero-day vulnerability. Instead, the customised USB stick sends 220 Volts (technically minus 220 Volts) through the signal lines of the USB interface, frying the hardware.

USB Killer 2.0

Dark Purple claims in a Russian-language blog post that the attack is not just limited to computers, but can used to incapacitate almost any equipment equipped with a USB drive.

Want to see the attack in action? Of course you do.

Here is Dark Purple's video, where he demonstrates how USB Killer v2.0 bricking a Lenovo Thinkpad X60 laptop:

Dark Purple says that you shouldn't worry too much about his broken laptop. He claims that "he will live" and a new motherboard is on the way. He thinks it is "extremely unlikely" that the hard disk was damaged, and so it should still be possible to access the data stored on the drive.

That's good news, of course, as the data you store on your computer's hard drive is probably more valuable to you or your business than the hardware itself.

It may also mean that computer criminals, political activists, journalists and whistleblowers, concerned that they might be at risk of having their computers seized, won't attempt to use this particular technique to keep their data out of other parties' hands.

So, there you have it. USB Killer v2.0. Yet another reason not to plug a USB stick of unknown origin into one of your computers.

Want to keep up-to-date with my latest rants about computer security? Join over 50,000 others by following me on Twitter at @gcluley, or subscribe to my YouTube channel.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

54 Responses

  1. Tony Jenner

    October 13, 2015 at 11:17 am #

    Any suggestions as to how to check the veracity of an unknown USB stick if you don't happen to have a stock of "disposable" computers to hand?

    • Recon7 in reply to Tony Jenner.

      October 13, 2015 at 1:27 pm #

      Sure … lick it and see what happens. ( like the old way of "testing" a 9v battery)

      • kashmiri in reply to Recon7.

        October 13, 2015 at 1:45 pm #

        There is no way. The malicious stick is initially "empty", licking won't show any charge. It then gets charged from the USB port over a few seconds, and then releases the stored charge (via voltage upconverter).

        It's a brilliant way of revenge if TSA agents stop you and want to check the content of your USB drive…

        • Perfessor in reply to kashmiri.

          October 13, 2015 at 10:24 pm #

          Ya, getting detained and going to prison instead of finishing your trip to the Carribean is always the best "revenge" on the government, in my experience.

          Mmm-hmmm.

          • Mihaitha in reply to Perfessor.

            October 14, 2015 at 2:31 pm #

            If they find your stick and ask you what's in it, and you insist it's nothing and not try to read it as it will fry their computer, they have no reason to arrest you. Not that they would have a reason to arrest you if you didn't tell them, they don't have a right to go through your digital data.

    • kashmiri in reply to Tony Jenner.

      October 13, 2015 at 1:46 pm #

      There is no way. The malicious stick is initially "empty", licking won't show any charge. It then gets charged from the USB port over a few seconds, and then releases the stored charge (via voltage upconverter).

      It's a brilliant way of revenge if TSA agents stop you and want to check the content of your USB drive…

    • TheNH813 in reply to Tony Jenner.

      October 19, 2015 at 3:44 am #

      A USB isolation transformer. They allow USB signals to be sent, but anything over a certain voltage is blocked. Some of them can protect the computer from very high voltages, some over 30000V protection. http://www.amazon.com/gp/product/B005X9YJ00 This one protects up to 4000V. As you can see, at several hundred dollars, it's not cheap. These are used in industrial applications where equipment might break down and fry the computers controlling them. Obviously in those cases, buying a couple hundred dollar isolation device that can prevent damage many times without even needing replacement is the lesser of the two expenses.

  2. Adrian

    October 13, 2015 at 11:38 am #

    Version 2. comes full of thermite and magnesium powder.

    • mark in reply to Adrian.

      October 14, 2015 at 12:42 pm #

      usb can't melt steal beams

      • Mario in reply to mark.

        October 14, 2015 at 3:01 pm #

        The burns.. they are real!

      • jdubb in reply to mark.

        October 14, 2015 at 5:11 pm #

        Why's it matter if the beams were stolen or not?

        Steel beams, on the other hand, sure.

  3. Rusty Shackleford

    October 13, 2015 at 12:15 pm #

    What happens if the USB Killer was plugged into a USB hub? Would it simply damage the USB hub or would it continue on and damage the computer motherboard?

  4. Charles Indelicato

    October 13, 2015 at 1:37 pm #

    =What happens if the USB Killer was plugged into a USB hub? =

    I would surmise the hub might be damaged to the point that the charge wouldn't reach the motherboard … but I wouldn't test it myself.

  5. Dan Parry

    October 13, 2015 at 1:53 pm #

    A very interesting article. You mention that a hard disk drive should be unaffected and the data still readable. Would this be the same for an SSD, or MSata card?

    • coyote in reply to Dan Parry.

      October 13, 2015 at 4:40 pm #

      The researcher suggested that. It's unknown currently, is what I infer from that text.

  6. Pain

    October 13, 2015 at 1:55 pm #

    In the wrong hands of a student this could wreak havoc on a school

    • Akim in reply to Pain.

      October 15, 2015 at 4:47 am #

      So can a hammer, or a spray bottle of water, and a student can get those items for a buck.

      • Amante in reply to Akim.

        October 16, 2015 at 8:43 am #

        You can't be serious, right? This is much more silent/stealthy meaning it's much more dangerous. You just plug it in, wait, pull it out. It would be way more obvious if you were walking around wrecking shit with a hammer.

    • Matthew White in reply to Pain.

      October 17, 2015 at 8:08 pm #

      that's probably one reason why some places have rules that users may not connect their own devices or the devices must be approved

  7. Spunky

    October 13, 2015 at 2:01 pm #

    Where can I order these? Also, how do these get recharged?

    • TheNH813 in reply to Spunky.

      October 19, 2015 at 3:35 am #

      Actually, the device uses a flyback-style voltage multiplier. Essentially, a very common type of high voltage supply. It's get's it's power from the computer itself, so no recharges ever. Imagine dragging your feet over the carpet, then touching the doorknob. You slowly charge up the longer you do it. Same concept, it takes in power little by little through a voltage multiplier circuit and charges up to 220V using only 5V to start with. Think of it as the opposite of a wall adaptor, wall adaptors take in 120V (or 240V in UK ,Australia, etc), and use a voltage dividing circuit that contains a transformer. Said kind of transformer and driver circuit can be used in reverse to change a standard charger voltage (USB is 5V) and upconvert it to 120V or 240V or anything you can design within physical limits. Then, the USB stick of doom dumps all that power at 220V back into the computer, on the very sensitive data lines, which are only supposed to have 0.4V to 3.3V on them, which obviously is many times it's limit, instantly killing it.

  8. Chris in N.Va.

    October 13, 2015 at 2:05 pm #

    So, a sort of Fatal Phallus which will royally screw the unsuspecting user's computer. Further caution that "Safe Computing" means not being promiscuous with unknown "sticks."

  9. Erick

    October 13, 2015 at 3:02 pm #

    I would've thought the mainboards had some kind of "fuse" on the data line circuit that would actually set off and render the USB port useless but not affecting the rest of the circuitry. Interesting that they don't.

    • Tim in reply to Erick.

      October 14, 2015 at 6:47 pm #

      Fuses protect against high current, not voltage. If the surge is high enough. The fuse may mean nothing. The damage would be instantaneous. Surge protection would be more appropriate.

    • David in reply to Erick.

      October 14, 2015 at 10:15 pm #

      All the signal lines of the USB port (Data +, Data – and the 5V supply) should absolutely have transient voltage suppression (TVS) devices that are capable of absorbing a reasonable amount of energy up to a high voltage – at least 2000 V to allow for static discharge. The concern is whether this inverter device can dump enough energy into the TVS parts to ultimately destroy them. For example, a short burst of 1000 V is likely to be protected against but a continuous 10V could destroy the TVS parts if the current available is high enough. Once destroyed, the port will no longer be protected and circuitry further into the computer could be damaged.

  10. The Doc

    October 13, 2015 at 3:07 pm #

    I would have thought it would only fry the USB controller on the motherboard if it is only supplying excessive voltage into the data lines. They probably did what I was thinking and also once charged send the voltage back up the 5V USB supply. This would fry that regulator and anything that uses the same 5V buss. Don't know if it would make it back to the 5V rail of the power supply. but if it did then it would fry just about everything. There is no real reason to use this unless you really hate someone…Maybe these guys think there is a market for this???
    (And yes if it got to the 5V rail It would also likely fry flash storage devices NVRAM such as SSD's and other USB sticks.)

    • Isaac in reply to The Doc.

      October 14, 2015 at 2:03 pm #

      It would all depend on the hardware you are plugging it into. If it's not USB directly on the MB, then it should blow the controller before it gets that far. But if it's USB Ports directly attached to the MB, it could overload the controller, and fry the entire board.

  11. Really Noone

    October 13, 2015 at 3:39 pm #

    AC couple the Tx/Rx lines though an adapter with a shunt diode. There could be a market for a protection from such a device. An adapter which AC couples the Tx/Rx lines of the USB bus with capacitors for high voltage with a combination of shunt diodes., The drawback would be that the transmission speed could be slightly compromised and USB could move the data at bit lower rate. But for checking and protection against unknown USB drives this would be perfect. Once you know the drive is safe, you can remove the adapter and use it without it.

    This is nothing new. This is an old trick we used back in college in 1990's when USB first came out.

  12. Don

    October 13, 2015 at 3:51 pm #

    Why would anyone design something that does what this does. Don't the have anything better to do with their knowledge. My friend is right, for the most part people are no damn good.

    • Walrus in reply to Don.

      October 14, 2015 at 10:19 pm #

      To fry their own computer.
      It was clearly shown in the video.
      Did you even watch it?

  13. cassiel

    October 13, 2015 at 3:56 pm #

    I've had a Belkin portable USB hub do exactly that to one of my laptops. Didn't require any special hardware at all.

    • David Payne in reply to cassiel.

      December 5, 2015 at 10:29 am #

      Are you sure it was a Belkin? That behaviour sounds more like a Belkar! (From Order of the [USB] stick).

      I had a (different brand) share-USB-peripherals-between-2-computers hub kill the first & only peripheral I attached to it. I hope the shop didn't put it on the bargain table with "changed mind" or similar on the reason for return label!

  14. Peter Mortensen

    October 13, 2015 at 4:01 pm #

    This article is about nothing. It's easy to make a "whatever connector" killer by wiring your AC mains power to the "whatever connector". For example, if you want to blow a 3.5mm audio output, SATA connector, any DC input, Lightning, HDMI, VGA etc. etc. just connect some pins to main power and smoke will come out. If it didn't burn the first time, try some other pins in the connector.
    Also an excellent way to burn speakers is to connect them to the mains power.

    • Tom in reply to Peter Mortensen.

      October 14, 2015 at 10:41 pm #

      Except this isnt charged via mains power (charges over the same USB port its connected to) and is much easier to allow someone else to kill their own computer than passing them a audio jack hooked up to their mains supply.

  15. glen

    October 13, 2015 at 4:38 pm #

    Oh boy, is this great!! (to quote Flounder) :)

  16. chaon

    October 13, 2015 at 5:47 pm #

    Hmm this is bad for cops and other authorities more than anything. Criminals who do cyber crime have one of them mixed in with normal USB sticks and when they go to collect evidence boom fried motherboard.

    • dingo88 in reply to chaon.

      October 13, 2015 at 6:31 pm #

      This won't faze government goons. They'll just use your tax money to buy themselves new motherboards. After a few fried motherboards, they might even get smart enough to start inspecting the innards of flash drives before plugging them in.

    • Trevor in reply to chaon.

      October 13, 2015 at 6:42 pm #

      Fried motherboard yes fried hard drive no they would just have to plug the hard drive into another computer all there files should be intact

    • Willy in reply to chaon.

      October 14, 2015 at 3:19 am #

      Yeah, because everyone knows that cyber labs have only one computer, and once that goes, they get laid off.

  17. chris

    October 13, 2015 at 6:25 pm #

    does this come in a 10,000 volt hard drive version yet?? turn it on and a loud bang.. blame TSA and get new puter.. muahaha..

  18. David Hitchen

    October 13, 2015 at 7:04 pm #

    "It may also mean that computer criminals, political activists, journalists and whistleblowers, concerned that they might be at risk of having their computers seized, won't attempt to use this particular technique to keep their data out of other parties' hands."

    I wouldn't call this a "technique". It's a hardware bomb that fries your motherboard. It costs money to produce each "infection". It doesn't spread. It doesn't produce any financial gain for those who invest in spreading it. My bet is this is the last you will hear of it. I've heard of something much scarier called BadUSB. This technique uses the firmware of a usb device to compromise the security of devices it is plugged into by planting malware.

  19. Jack Straw

    October 14, 2015 at 4:02 am #

    Is there supposed to be a point to this? If it doesn't fry your information, what's it good for?

  20. Jamon

    October 14, 2015 at 1:45 pm #

    So what you could also use a hammer if you have access to the PC and that will do a better job of destroying everything or you could pour a bottle of water in it for the same effect. All show.

  21. BiomedSteel

    October 14, 2015 at 4:43 pm #

    All you need is a USB hub with an inline fuse. Fuse will pop and no harm will come to the motherboard.

  22. The Hollywood Mag

    October 14, 2015 at 7:30 pm #

    Is this a one time use kinda thing or can it be used to fry multiple devices?

  23. William

    October 14, 2015 at 7:45 pm #

    Just a guess – didn't you mean USB <i>port</i>, instead of drive? C'mon old boy, it's a gender issue :)

  24. Name, yeah, so what?

    October 14, 2015 at 7:49 pm #

    Hmm, posted with scripts disabled, no post seems to have occurred. Local scripts now enabled…

    Didn't you mean USB <i>port</i> rather than drive? It's a gender issue :)

  25. Just me

    October 14, 2015 at 7:56 pm #

    @BiomedSteel – Sounds <b>highly</b> unlikely to succeed. The fuse would be on the 5v supply line only. The USB stick puts out the 220v across the Data lines which would not be fused. Don't be so anxious to give out [stunningly bad and VERY expensive] advice :) It's very clear you don't know much about electronics.

  26. Name

    October 14, 2015 at 8:06 pm #

    This site exhibits inconsistent behavior when I try to post comments.

    I use NoScript. First comment (from "William") was submitted, but didn't appear. So I told NoScript to allow scripts from this site. Submitted a repeat of the first comment, THEN the first comment did appear – but not the one I'd just submitted. It still isn't there.

    So I went back to disabling all scripts and submitted another comment in reply to BiomedSteel (don't take his BAD advice!), but it didn't appear either. Too bad – taking his advice will STILL fry your device.

    Let's see what happens to this comment… [click]

  27. William/Name/Just me

    October 14, 2015 at 10:08 pm #

    @The Hollywood Mag – There is no particular reason this should be a "one-time" thing. It is certainly possible that it fries itself as a result of being used, but kind of unlikely. That would be "bad design" – which would make for a poor example of "evil design".

    It comes down to what combination of values are used for voltage, USB internal impedance, target device impedance. These determine the amounts of current that will flow, which in turn is the main determinant of whether the USB fries itself at the same time as frying targets.

    One thing is certain: if the device's designer *chose* such values as to make it re-usable, then it's re-usable.

  28. Matt A

    October 15, 2015 at 2:33 am #

    Add a hidden switch to make it a proper USB thumb drive and you have a great way to make sure nobody reads your data. Only you know where the switch is and you just have to remember to switch it over before you insert.

  29. Mike

    October 18, 2015 at 9:47 am #

    Where can i get this usb
    Pls reply.

  30. Done It Already

    October 22, 2015 at 12:06 am #

    I've done this, although not up to 220v. I was working on pic microcontroller circuits, using an in-system programmer, to control 120v line voltage. My crappy process was to unplug the programmer, then plug into the wall, and I screwed it up twice before I finally got around to redesigning the circuit. I would forget to unplug the programmer before plugging into the wall, and the usb programmer was still plugged into the computer. First time fried my hub and the keyboard dongle plugged into it, as well as the programmer. Second time fried half the USB ports on my PC. The PC (I believe) had 2 controllers on board, and I'm guessing it fried the one that particular port was plugged into.

    So with 120 ac volts, the computer itself survived and is still usable, and the hub protected the computer (although, I could be wrong and misremember that, but I'm not testing it again). Obviously, this would depend on exactly how the hardware is designed, and it's possible 220 or 10000 volts could jump something that 120v can't, but I'd say that you're not even guaranteed to kill the motherboard. In my particular example, even if you turned around and fried the other half of the ports, nothing stops the owner from installing a third-party controller board (as I did) to get usage back for keyboard and mouse.

  31. activistnoise

    August 29, 2016 at 5:19 am #

    I just wrote an article about that kind of device that is now sold by usbkill.com and i had a chat with the people who are selling that. it is very interesting to see that most of the machines with usb will die almost instantly. Seems that only the last macbook resist to that kind of attacks. They market this usb kill 2.0 as a testing tool for hardware developers and pentesters.
    I wonder how many trolls will buy one just for the fun of it … :/

Leave a Reply