Sophos Cloud Optix
Malware isn’t the only toxin you can deliver to a computer via a USB key. Just ask Vishwanath Akuthota, who faces a potential ten-year stretch after frying at least 66 computers at his former college.
Akuthota originally pled not guilty to intentionally damaging a protected computer at the College of St. Rose, in Albany, New York. He then changed his plea, perhaps faced with evidence from the Albany Police Department, who investigated an incident there on 14 February 2019.
Harbouring an unspecified grudge, Akuthota entered multiple computer workrooms on campus and inserted a USB Killer device into their USB ports.
A USB Killer isn’t your granddad’s USB thumb drive. It is an adapted device that can fry an entire computer. Instead of a flash memory chip, its innards contain capacitors and a DC-DC converter that alters the voltage level of a direct current. This is a deadly combination for your average USB port, along with anything attached to it.
Inserting a USB Killer into a USB port causes it to draw an electrical current from the port and store it in the capacitors until the stored energy reaches a certain threshold. Then, the deadly USB stick reverses the charge, dropping all the stored energy back into the USB port at once. The electrical surge can fry the port, along with other electronic components such as the computer’s CPU.
Akuthota bought one of these devices online and delivered its powerful payload to 59 Windows workstations and seven Apple iMacs. He also tried to damage other hardware with it, the complaint against him says.
Not content with frying over $50,000 of computer equipment, the MBA graduate took home a memento, explains the complaint:
The defendant, using his personal iPhone, recorded himself inserting the ‘USB Killer’ device into computers and other hardware owned by the college, and making statements including, “I’m going to kill this guy,” then inserting the ‘USB Killer’ device into a USB port, and – after destroying the host device – stating “it’s dead”, and, in another instance, “it’s gone. Boom.”
Even if he hadn’t documented his own crime, Akuthota carried out his destructive spree in front of campus security cameras. The cops nabbed him within a week.
The hapless vandal must now pay back $58,471 to the college, covering the cost of hardware replacement and staff time. He also faces a maximum of ten years in prison followed by up to three years of supervised release, along with a potential $250,000 penalty.
“Ex-student records himself using USB Killer to fry college computers”
Of course he did. This scenario doesn’t surprise me anymore which is kind of sad now that I think about it.
Not that I condone criminal activity, but why on earth do people still record themselves doing this kind of stuff? You’re just creating evidence against yourself. I feel for the IT team that now have to prepare 60-odd workstations rather than actually helping people.
Good Article Danny, But how do you stop such an attack?
Same sort of way you’d protect against any sort of physical vandalism, I guess. For better or worse, that probably includes CCTV surveillance, foot patrols and stop-and-search to the limit set by common decency or by law (whichever is a stricter standard). This bust and the repayment the guy will be making might also act as a bit of a disincentive…
One easy way is to disable the USB ports. That SHOULD turn off power to the device. Considering this is a college, that’s not reasonable, but still– that’s one way. I wonder if a firmware upgrade could identify this and block it.
disabling the USB ports in the BIOS may shut down the power to them(idk) but disabling them in software (with some sort of AV device control software or device manager) wont. Might be a case for locking the pc’s in a cabinet and just allowing access to the keyboard, mouse and screen but if someone is determined they could cut the keyboard cable and wire the device in there.
If the device were already charged up before it was plugged in then I suspect the damage would be done instantly anyway – disabling the USB port via software doesn’t isolate the USB port’s power traces from the motherboard…
So I suspect, as you say, that you can’t protect a computer from this sort of thing *logically* but only *physically* – in much the same way that getting the operating system to unload the keyboard driver won’t protect your laptop from someone whacking the physical keyboard with a hammer.
There’s at least one laptop out there that protects vs this by having the usb controller connect to the motherboard via an optical data connector. Can’t find the model I’m afraid. I guess it never took off because of the prevalance of hammers.
Replying to myself, they’re apple devices, Recent Macbook and Airbook Pro devices are immune to this attack. The rest of the world has to just accept it.
Thank you! I’d suggest a defence-in-depth approach. Securing the physical space with keycard-based entry and a guard would help stop people like this getting to the machines in the first place, but it wouldn’t stop authorized students and personnel who might also do something like this. You can buy physical locks for USB devices which would be another useful and relatively cheap approach. This is all just a risk reduction approach, mind. Nothing is ever 100% secure.
Well, it seemed like a good idea at the time.
No video? Come on…
I got one of these to see how they work, and used them on computers that were scrapped with the owners permission last year.
Manufacturers need to include power regulation on the USB ports that would stop this from happening.
> Ex-student records himself using USB Killer to fry college computers
I’ll take “Dumbest thing I did all day” for $1000, Alex.
Would Sophos Peripheral control activated help in this situation?
The thing is, this isn’t a USB peripheral, it’s just an electric shock machine with a USB-shaped plug on the end. It doesn’t gracefully announce itself as a USB device of the “power killer” sort – it just dumps a big power surge down the wiring in the port.
(If you plug a rechargeable bike light into a USB port it doesn’t show up as anything – it just starts charging. In fact, the power wires are slightly longer than the data wires so that a regular device gets powered up early in the connection process.)
Albany State Police? Last I checked, Albany was the capitol of the state of New York, not a state unto itself.
“Albany State” as in “Albany State University”, I think, not as in “a state called Albany”.
This was a slip of the brain at my end. The complaint says the ‘Albany Police Department’ and the attack didn’t happen at Albany State University, so. we should amend the text to reflect that. My apologies. You edit your own article four times before posting and still something slips through…
Fixed, thanks.