[HN Gopher] Explosives replace malware as the scariest thing a U...
___________________________________________________________________
Explosives replace malware as the scariest thing a USB stick may
hide
Author : dgrin91
Score : 74 points
Date : 2023-03-22 18:41 UTC (4 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| snozolli wrote:
| _Police determined that the drive featured explosives but believe
| it didn 't explode because the adapter the producer used didn't
| have enough juice to activate it, Fundamedios said._
|
| Sounds like journalists need USB extension cables that include a
| current and voltage limiter. Maybe just a USB 1.0 dumbed-down
| interface would do it.
| anonu wrote:
| Why even risk it? Sounds like they need an explosives tester..
| Arrath wrote:
| Little robot arm in a blast enclosure to plug the drive into
| an extension cable.
|
| Strangely, it still takes 3 tries for the robot to correctly
| insert the device..
| mgdlbp wrote:
| 1. Plug drive into cable
|
| 2. Plug in other end of cable
|
| 3. ???
|
| 4. !!!
| Khelavaster wrote:
| The Iranians will tell you after stuxnet, USBs with viruses are
| still worse
| golergka wrote:
| The industrial revolution's consequences have finally caught up
| with Moore's Law - explosive storage capacity in a compact
| package.
| antibasilisk wrote:
| Voting by mail is so old school, now we have electronic voting!
| nehal3m wrote:
| The Unabomber Manifesto delivered on a bomb. Meta.
| Arrath wrote:
| Rude/counterproductive not to give the victim enough time to
| read the manifesto tho.
| _gmax0 wrote:
| Tragically poetic.
| vorpalhex wrote:
| What strikes me is that this was intended to scare much more than
| harm. It doesn't seem much actual expertise went into the
| devices, just rdx wired up to 5v from the reports. No shrapnel,
| no boost capacitor.
|
| Wait until someone repeats the trick with an external hard drive.
| jefftk wrote:
| In 2014 I wrote about what's the worst that could happen with a
| malicious USB stick [1] and the first comment was "if we're going
| with physical attacks, it might as well just be a bomb." Well!
|
| [1] https://www.jefftk.com/p/malicious-usb-sticks
| GalenErso wrote:
| Why not a small explosive laced with a chemical weapon like VX
| or sarin?
| klyrs wrote:
| Those seem like they should be pretty hard to come by, but
| there are some toxic gasses that result from not-too-exotic
| chemistry, which can effectively kill with a whiff.
| Arrath wrote:
| While still hard to get ahold old, explosives are generally
| more accessible than legit chemical weapons?
|
| Barring mad scientists with chemistry sets and a grudge. And
| even in such a case it may be safer for said mad scientist to
| homebrew explosives in favor of chemical weapons.
| dogma1138 wrote:
| Making TATP is fairly easy and all the precursor
| ingredients can be easily bought and they are often
| unregulated at all and untracked unless you are looking to
| make a bomb big enough to level a few city blocks.
| philipkglass wrote:
| Explosives are relatively easy to make at home for
| technically minded attackers. Sarin and VX require much more
| difficult-to-obtain chemicals, or several more difficult
| synthetic stages, and are much easier to accidentally kill
| yourself with. The only criminal group I'm aware of that
| actually _made_ their own nerve gas was the Aum Shinrikyo
| group:
|
| https://en.wikipedia.org/wiki/Tokyo_subway_sarin_attack
| Teever wrote:
| What about ricin? I thought that it was relatively easy to
| source from castor beans.
| umeshunni wrote:
| I too watched Breaking Bad...
| 01100011 wrote:
| Reminds me of the old "floppy disk bomb" in the Anarchist's
| Cookbook(which probably doesn't actually work, like most crap in
| the AC).
| jrootabega wrote:
| Interesting and scary as described. But I hope the root cause
| failure here is understood to be in the mail screening process,
| not USB hygiene.
|
| Although accepting only sd cards would probably have eliminated
| this threat.
| gnicholas wrote:
| What type of screening is required to reliably detect this sort
| of danger? Would all newsrooms have them, or do people
| loan/borrow them on an as-needed basis?
| Arrath wrote:
| X-rays and/or explosives sniffer devices. I can't imagine
| many newsrooms at all employ either, except for the biggest
| operations.
| JohnFen wrote:
| Nope. Malware is still a lot scarier.
| tpoacher wrote:
| Great. Another thing I wont be allowed to take on a plane now.
| localplume wrote:
| [dead]
| kneebonian wrote:
| So I'm going to ask a dump question, how much explosive power can
| actually be packed in a USB stick? Is it enough to kill someone,
| or is it about the shrapnel, or is it just some burns on the
| person who plugged it in?
| h2odragon wrote:
| Probably enough to mess up your hand, probably not enough to
| completely remove it. I wouldn't want to count on it for
| rendering a laptop completely irrecoverable; but it'd probably
| do a good enough job most of the time.
|
| A "thumb drive" that's much bigger than an m80 is going to be a
| little suspect anyway, isn't it? some of them things can be
| swallerd now. Don't think any are designed to work after, alas.
| fwlr wrote:
| The first USB thumb drive I could find on Amazon was a Sandisk
| with dimensions of 7 x 41 x 17 millimetres. That gives it a
| total volume of just under 4.9cm3, which would be a maximum of
| 8.5 grams of C4, or just under 1/3 of an ounce. Here's one
| ounce of C4 as a shaped charge punching a hole through a steel
| plate: https://youtu.be/AwyniA5ryhY&t=46
|
| Realistically you couldn't achieve 1/3 of an ounce (that would
| be a thumb-drive-shaped blob of C4), it would be at most half
| of that, and the thumb drive would weigh 5 grams instead of
| half a gram which is probably noticeably odd.
|
| The problem is that a flash drive bomb is going to explode when
| you plug it in, i.e right when you are holding it in your hand,
| and holding an explosive in your hand is the best way to
| maximize the harm it causes. The closest real world example to
| a thumb drive bomb that we have data on is an M80 firecracker,
| we have hundreds of instances of those going off while being
| held in the hand just like what would happen with a thumb
| drive. The M80 has between 2g and 5g of flash powder, which
| causes a _very_ comparable explosion (similar size and speed)
| to what you could practically get from a C4 thumbdrive bomb. I
| don't recommend searching M80 firecracker injuries, it seems
| like it tends to mangle multiple fingers.
|
| So an estimate for a practical thumb drive bomb is that it
| could probably blow off your thumb and a finger or two.
| formerly_proven wrote:
| > believe it didn't explode because the adapter the producer used
| didn't have enough juice to activate it
|
| Crappy cables save lives
___________________________________________________________________
(page generated 2023-03-22 23:02 UTC)