Picture this: You go to a trade show and you collect your allocation of freebies: Teeshirts, hats, USB drives, and so on. You get back to your room or, more likely, you get back to your office and you start sorting out your haul of tschotskes. You plug one of the nerd sticks into your computer and then this happens:
Suddenly your day has taken a nosedive.
That evil device is the creation of a Russian hacker who goes by the alias of “Dark Purple”. The way it works is simple: Upon insertion into a USB socket the circuit in the drive sends 220V into the attached device via the signal lines which is, not surprisingly, a voltage that almost all devices isn’t prepared for. From Dark Purple’s blog post on the hack (originally in Russian, here translated by Google Translate):
The main feature of the new version of the device is increased twice, "output" voltage, it is now 220 (strictly speaking, minus 220). Also in the new version the efforts were aimed at making the device even more compact, as in the first version had slightly modifying the body, so that everything fits. The principle of operation has not changed. Connecting to the USB port starts operation of the voltage converter, which charges the capacitor to 220V. By achieving this voltage converter is switched off and the stored up energy in the capacitor is supplied to the signal lines USB interface. After the capacitors discharge cycle is repeated.
Dark Purple is also nice enough to provide the details of the curcuitry.
If your computer got whacked by this device you’d likely not be very pleased but, let’s be honest, unless you're very important and visible and someone is targeting you, the risk of you being attacked this way is minimal.
But what of the USB drive that doesn’t fry your machine but carries malware? We all come back from trade shows, conferences, and training sessions a little worse for wear because we worked too hard, travelled badly, or partied like it was 1999. Under those circumstances, grabbing a USB drive that someone handed you (or they slipped into your tschotske tote) then sticking it into your laptop or desktop will probably occur without a second thought … and if the malware is the weapons-grade code that’s now doing the rounds, you might never know that your machine has been pwned with a root kit.
So, before you stick a USB drive in your computer stop and think: Could this be loaded with malware? Or worse still, could this nuke my machine?