Exploding USB Sticks

In case you don’t have enough to worry about, people are hiding explosives—actual ones—in USB sticks:

In the port city of Guayaquil, journalist Lenin Artieda of the Ecuavisa private TV station received an envelope containing a pen drive which exploded when he inserted it into a computer, his employer said.

Artieda sustained slight injuries to one hand and his face, said police official Xavier Chango. No one else was hurt.

Chango said the USB drive sent to Artieda could have been loaded with RDX, a military-type explosive.

More:

According to police official Xavier Chango, the flash drive that went off had a 5-volt explosive charge and is thought to have used RDX. Also known as T4, according to the Environmental Protection Agency (PDF), militaries, including the US’s, use RDX, which “can be used alone as a base charge for detonators or mixed with other explosives, such as TNT.” Chango said it comes in capsules measuring about 1 cm, but only half of it was activated in the drive that Artieda plugged in, which likely saved him some harm.

Reminds me of assassination by cell phone.

Posted on March 24, 2023 at 7:04 AM19 Comments

Comments

Winter March 24, 2023 8:09 AM

In the port city of Guayaquil, journalist Lenin Artieda of the Ecuavisa private TV station received an envelope containing a pen drive which exploded when he inserted it into a computer, his employer said.

86 journalists were killed in 2022. Remember that people rarely get murdered for lying. When people get killed, it is for speaking the truth.

‘https://news.un.org/en/story/2023/01/1132507

‘https://rsf.org/en

Mack March 24, 2023 9:13 AM

@Bruce
Reminds me of assassination by cell phone.

Now that is interesting. Can cell phones normally be made to explode remotely or was that some weird “government replaced” version? Should this be a concern for “regular” people?

Hans March 24, 2023 9:36 AM

@Mack
From the article:

A Hamas informant who reportedly received $1 million and refuge in the United States
helped the Shin Bet smuggle Ayyash’s phone out of and back into Gaza so it could be
turned into a bomb.

So it should only be a concern to you if your death is worth $1 million to someone.

Kent Brockman March 24, 2023 12:23 PM

Putting a strange pen drive in one’s computer is rather a dumb move even if you’re not worried about being blown to hell. Aquiring a virus or trojan payload is a good possibility.

Chelloveck March 24, 2023 12:42 PM

This is going to lead to not being able to carry thumb drives on airplanes, isn’t it? Or maybe we’ll have to separate thumb drives out in clear plastic bags, and no single drive over 3.5 GB will be allowed…

ALT March 24, 2023 2:17 PM

@Kent Brockman
Journalists may need to do this with confidential sources, and the computer might have been air gapped with no writable storage – would not be too dumb.

Leonid March 24, 2023 2:17 PM

@Kent Brockman: “Putting a strange pen drive in one’s computer is rather a dumb move even if you’re not worried about being blown to hell. Aquiring a virus or trojan payload is a good possibility.”

This is complete nonsense, because a virus/trojan is a program that needs to be executed to do harm. So… don’t execute anything from untrusted media (and don’t use OS that does so automatically).

Even rubber-ducky type attacks can be thwarted if you plug an untrusted drive into a device and login to the latter remotely, or use an environment that won’t take input from an unknown device (e.g. MacOS has protection against such attacks).

iAPX March 24, 2023 2:37 PM

@Leonid

You put too much trust into OS level security and behaviours, USB controller firmware security, and generally modern computing platforms security.

And also the inability of your attacker to not have insider informations, for example for the exact model of USB keyboard that is available at your job (for example).

In fact if Stuxnet was so efficient, and was also detected on other devices that those targeted, it’s because people were putting trust in the wrong place.
They trusted the USB controllers, they trusted their OSes, theyr trusted their antivirus, and so on…

It’s very difficult to read a USB Key safely, it involves using low-tech and burner devices.

ALT March 24, 2023 3:44 PM

@iAPX

Yes, firmware is a problem – I should have written “would not be too dumb”.

So, maybe it’s harder to make an exploding CD/DVD?

iAPX March 24, 2023 4:09 PM

@ALT

In fact you need low-tech and burner devices (plural is not an error).

Attacks could come from the USB high-level protocol (and physical too if firmware is backdoored at this level!) targeting firmware and OS, and encapsulated protocols (say keyboard for example) targeting their support on the OS (or a backdoor on USB firmware), so this is at least one step, and a burner device.

Then with full data contained on the USB Key (all blocks), you might still have a Boot-record MBR/GPT/etc. attack, an UFI/UEFI attack, a filesystem attack.
You need a burner at this point.

Then you have files, including one containing all the blocks of the initial USB Key to ensure integrity and ability to analyse and audit, your OS might launch some of them, and if not for your OS, they might be targeting your antivirus, for example Microsoft Defender had a “bug” (we say backdoor in my team) enabling local execution at the highest level.
So another burner device, you should at least convert those file in a safe format that could not be executed as-is in any way.

And it’s just a resume, without further details (16550 UART for example), it is somewhat very difficult to avoid propagating attacks up to your own computer or system.

SoWhatIf... March 24, 2023 5:16 PM

Tech always improves. What takes a shoebox today used to take a suitcase, and tomorrow will take a matchbox.

What stops somebody from putting a USB-hub inside a USB-drive? And also a normal USB drive, hooked up so it all looks clean & right when you plug it in? And also a microcontroller emulated keyboard & mouse, that will power up after a time delay so nobody notices?

Looks just like a regular USB drive, both physically and on your computer. Only now somebody can do anything on your computer that you can do, including type in a computer program and run it.

Malware isn’t the only worry.

1&1~=Umm March 24, 2023 8:00 PM

@ SoWhatIf…,

“What takes a shoebox today used to take a suitcase, and tomorrow will take a matchbox.”

Whilst tech used to get smaller at a significant rate, other things don’t.

The amount of “bang you get for your buck” or more precisely your mix of chemicals does not increase very much.

Worse even though we do know of chemicals that will release more energy, that does not of necessity result in more bang/blast (thermite for instance). Also those that do release more energy tend to be a lot less stable to the point just sun shine falling on some will cause them to go pop or worse…

Nimmo March 24, 2023 9:56 PM

Maybe the oligarch who runs Equavisa should stop supporting Ecuador’s Pinochet, Guillermo Lasso? The people that filthy neoliberal impoverished tend to be quite angry about it.

Nimmo March 24, 2023 10:14 PM

@SoWhatIf that’s already implemented in the ‘Rubber Ducky’, which is a commodity product.

On the other hand- if you’re not careful- maybe the keyboard/mouse payload you program in leaves some obvious traces.. at its simplest, let’s say you program in something that’ll type
WIN+R
powershell
LEFT ARROW
ENTER
PAYLOAD
ENTER
ALT-F4

The aftereffects of that might look a bit odd if it runs at a login screen, instead of on a logged in PC, no? Let alone if CMD and POWERSHELL are blocked from launch by regular users.

I expect that the likes of the NSA and the MSS have implemented similar hardware, but with LoraWAN type radios, and much more capable processors and payloads.

If I was working in the national intelligence services of the African countries that the US is targeting for regime change for refusing to support the war against the people of the Donbass, I’d be trying to find a good way to monitor for things that look like DisplayLink USB video type devices just suddenly showing up and having Windows automatically install drivers at 3am, right as some US ‘diplomat’ arrives and parks outside a government building to relay back to Fort Meade so the creeps there can test different payloads and make sure they don’t leave obvious traces behind by watching the mirrored video… before deactivating the fake video display to make sure it isn’t noticed.

soothsayer March 25, 2023 8:29 PM

5V-Charge! That’s a novelty in itself, and reporters first name Lenin- can’t make this stuff up.
Either the cops are clueless that they measure explosives in volts or this is just another one of these make up news items for a slow day.

Clive Robinson March 25, 2023 10:49 PM

@ soothsayer, ALL,

“Either the cops are clueless that they measure explosives in volts or this is just another one of these make up news items for a slow day.”

I’d go read it again…

As presented above,

“the flash drive that went off had a 5-volt explosive charge and is thought to have used RDX.”

Is the journalist / editors words, not that of the “police official”. Who they then directly quote with,

“can be used alone as a base charge for detonators or mixed with other explosives, such as TNT.”

The journalist / editor then goes on to make another mistake (1cm).

We’ve seen such issues in the past with journalists basically making statments that are not even close to being scientifically accurate. I’ve even moaned about three or four such journalists on this blog in the past.

R. Cake March 27, 2023 5:30 AM

@Nimmo “the war against the people of the Donbass” …oh wow. Selective perception is a powerful tool indeed – to trick yourself. However, remember that it does not work at all to change reality.

ResearcherZero March 27, 2023 10:32 PM

The article probably references power design of the device. It’s up to the device manufacturer how to implement the design if it wants to add explosives.

Upstream USB connectors supply power at a nominal 5V DC via the V_BUS pin to downstream USB devices.
https://en.wikipedia.org/wiki/USB_hardware#Power

“When a device doesn’t recognize the faster-charging standard, generally the device and the charger fall back to the USB battery-charging standard of 5 V at 1.5 A (7.5 W).
‘https://www.pcmag.com/how-to/what-is-fast-charging

‘https://www.techspot.com/news/52321-usb-30-superspeed-update-to-eliminate-need-for-chargers.html

specifications
‘https://www.usb.org/documents?search=&type%5B0%5D=55&items_per_page=50

“five Ecuadorian journalists have received USB drives in the mail from Quinsaloma. Each of the USB sticks was meant to explode when activated.”

Leave a comment

All comments are now being held for moderation. For details, see this blog post.

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.