Insider Cybersecurity Breach Underscores Need for Physical Security

While the majority of cybersecurity attacks originate remotely, one recent story illustrates how an insider attack can easily wreak havoc on an organization.

In February 2019, Vishwanath Akuthota, an MBA alumnus at The College of St. Rose in Albany, New York, returned to campus for the sole purpose of destroying the college’s computers. His weapon of choice? A “USB Killer” flash drive device that looks similar to a USB thumb drive, but which sends high-voltage power surges into the device it is connected to, thereby damaging its hardware components.

Akuthota inserted the device into 59 Windows workstations, seven iMacs, as well as numerous monitors and digital podiums, according to his guilty plea.

Amazingly, Akuthota didn’t try to mask his identity as he vandalized the college’s computers, and Albany police officers easily matched video surveillance footage with known images of him. He also recorded himself destroying the equipment, saying things such as, “I’m going to kill this guy” just before inserting the USB Killer and, “It’s gone, boom,” immediately after.

About the USB Killer

The USB Killer device used in Akuthota’s attack originated from a 2015 project by Russian security researcher DarkPurple (by which he is known), who re-engineered a USB flash drive so that it transmits a negative 220-volt charge into the signal lines of the USB port, which then destroys the motherboard. The device can “fry” a computer within seconds of being inserted into a USB port.

Although DarkPurple never released the schematics for the USB Killer, within 18 months, knock-off devices were being sold online.

In fact, one site selling the device explained that most consumer devices are vulnerable, including not just computers, but everything from networking equipment to in-flight entertainment systems. It even sells adapters to connect the USB weapon via Apple’s Lightning port, MicroUSB, and USB-C ports.

The Cost of The College of St. Rose Attack

According to testimony from The College of St. Rose, the cost to replace the destroyed equipment was $51,109. The college incurred an additional payroll cost of $7,362 to deal with the incident.

As for Akuthota, he was sentenced to 12 months in prison, followed by one year of supervised release, and ordered to pay the college $58,471 in restitution.

The Lesson Learned

Hopefully, the lesson is obvious, which is the realization that physical security must be part of any comprehensive cybersecurity strategy.

Yes, securing access to sensitive areas of your building is important – and most organizations take this very sensible precaution. However, installing physical locks for USB, Ethernet, and other ports is also a good idea, not only to protect against computer-killing devices such as these, but also to minimize the risk of malware and ransomware infecting your network.