Killer USB Breach Highlights Need For Physical Security

A naïve attempt at revenge has landed a former college student in court facing up to 10 years in prison and a maximum of $250,000 in fines. Vishwanath Akuthota, an alumnus at The College of St. Rose in Albany, New York, pled guilty last week to vandalizing equipment using a malicious USB device.

Akuthota graduated from the college in 2017 with an MBA. He returned on February 14 2019 with a ‘USB Killer’ key he bought online, designed to destroy computer equipment with an electrical charge.

He inserted the device into 59 Windows workstations and seven iMacs alongside “numerous monitors and digital podiums,” according to his guilty plea.

Akuthota wasn’t exactly stealthy about it. He didn’t try to mask his identity as he vandalized the computing equipment, and Albany police officers could easily match video surveillance footage with known images of him. He also recorded himself along with a running commentary, saying things like “I’m going to kill this guy,” and then, after inserting the weaponized USB key, “it’s gone. Boom.”

The college spent $51,109 replacing the destroyed equipment and at least $7362 in employee time dealing with the incident. Akuthota must reimburse the money as part of his plea agreement.

The device he used came from a 2015 project by researcher Dark Purple, who dismantled a USB thumbnail drive and installed an inverting DC-DC converter, along with some capacitors bought from a Chinese website. The converter gets around circuitry that protects USB ports from electrical attacks.

When plugged into a port, the device charges the capacitors to over 100 volts and then discharges the electricity back into the USB port, frying the port and potentially other components including the CPU. It keeps recharging and discharging to ensure success.

Dark Purple didn’t post the schematics for the USB drive online, but within 18 months people sold them online.

One site selling the device explained that most consumer devices are vulnerable, including not just computers but everything from networking equipment to in-flight entertainment systems. It sells adaptors to connect the USB weapon via Apple’s Lightning port, MicroUSB, and USB-C ports.

Many cybersecurity warnings focus on remote attacks delivered over a network, but this case illustrates the dangers of a physical breach. 

A comprehensive cybersecurity strategy should include physical security. Securing access to sensitive areas of the building is important. Installing physical locks for USB, Ethernet and other ports is also a good idea, not only to protect against computer-killing devices like these, but to minimize the risk of data-locking devices and physical malware delivery.

The topic of Cyber Physical/IoT will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cyber Physical/IoT here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.

Brought to You by

What’s Hot on Infosecurity Magazine?