That's more a South Korean thing and this particular summit is between the US and the North. Even in the South that myth is on the wane so I doubt it has much relevance here.
It's the equivalent of posting a Wiki article on a random Israeli superstition as "additional context" for a summit between the US and the Palestinian Authority.
It's not like this is some ancient tradition you'd expect them to share. The fan death urban legend first arose in the last century, just shortly before the countries were divided. They've been separate (and relatively isolated) for most of the time the myth was spreading in South Korea. I don't know what North Koreans think on the subject, but I wouldn't take it for granted that the urban legend is relevant context here.
Neither would I; nor would I take it for granted that it's so emphatically irrelevant, as some have done here. I would in fact, simply take it as "additional context."
All they need to do is open it up and take a look inside. There should just be a USB port and a pair of wires, maybe a pair of resistors. If there's anything else, this is a Trojan Horse. You can probably open this up with a butter knife, maybe a small pair of pliers to open up the USB connector.
A reasonable security assessment of this device could be done in two minutes. It would take longer to take pictures of the disassembly and post the pics on twitter.
I imagine if this really is an attack the attacker would expect these devices to be subject to scrutiny - perhaps the first set of fans released to journalists are safe, but as the summit goes on and the initial reports cleared them then just bribe hotel staffers to surreptitiously replace them with Trojan Horse devices. Or have just a small subset of devices as THs and hope the ones that get opened up are the safe ones.
This is just what I was thinking. Make it highly targeted to a few people, and swap it out at two points. Swap it for the hot unit mid-summit, then swap back for a normal unit at the end. If they’re really lucky this could become a normal or expected thing, and be useful as a vector in the future.
I'm not going to say 'no', but I would highly doubt it.
If you're wondering what the 'state of the art' in disguising components to look like other components is, this [1] is probably the best example. It's a guy that turned a LED into an LED and an inductor, and put transistors inside of switches.
What you're proposing -- basically putting a USB-capable microcontroller inside something that looks like resistor -- isn't impossible. I can imagine that it could be done, but I would have no idea how. You would probably go with a very small (physically) microcontroller, maybe one of the SOT-23-6 PIC or AVR packages. I don't think it's possible to write a USB stack for those, and you only have 1-2kB to implement a BadUSB [2] sort of thing. It might be possible, but I doubt it. Still, that size of package could be disguised as a (large) SMD resistor, although the PCB would look odd with the addition of extra traces.
To be honest, it really wouldn't make sense to disguise a microcontroller as passive components. It's already been demonstrated journalists will gladly plug random USB devices into their computer. If you wanted the device to just pass a cursory investigation, you'd just put a glob of black epoxy over the USB port. Hiding a microcontroller as a pair of resistors might be possible, but it's far more effort than what is really needed.
Great opportunity to remind people: never ever plug an unknown USB device in your computer. Even USB-C chargers can infect your machine as outlined here: https://twitter.com/_MG_/status/949684949614907395
My guess would be that many USB-C products are charging cables, dongles, and other items that the average user would not associate with having the capability to store data making them inherently "safe" in their eyes. USB-A, on the other hand, is commonly associated with storing data, and the majority of user awareness and education about the danger of unknown devices is focused on flash drives. For these reasons I can see how someone without technical experience may believe that flash drives specifically are potentially dangerous, while believing that other USB-A/USB-C cables/adapters/chargers are safe. In my experience most users don't even know what USB-B is
Outside of this audience, it's rather common[0]. It's not something that people, outside of these communities, harp on all that much. But even take things we do harp on, like not reusing passwords, are still things that the majority of people do[1].
I worked in various security positions at one of the US's biggest ISPs and routinely brought these sorts of things up to family members. I am embarrassed by the kinds of practices my family employs. The excuses vary but most of them fall along the lines of the same excuses smokers give when asked about lung cancer risks: "It Won't Happen to Me(tm)".
Even within our industry, bad practices exist all over the place. An example I often point to is Code Signing certificates[2] -- I went through the trouble of generating a CSR offline using a Linux live CD, backed up the private key to an encrypted thumb drive and placed the result on a Yubikey to protect it when I need to sign something. The best part was sorting out how to actually give the CSR to the CA I used to purchase the key from. They offer all kinds of convenient, (IE and Firefox-only) in-browser mechanisms which result in generating the key online in a potentially already-compromised machine, but I ended up having to go through several steps using phone support to get my CSR to the CA. The way they did things encourages people to not think about protecting the private key; simply leaving it on an unencrypted volume with (likely) no other encryption used to protect the key.
[2] I mention this kind of certificate because its credentials are such that an individual or company is named -- it's meant to identify a person or a legal entity, not a domain name -- and things signed with it result in that legal entity or person's legal name being displayed on launch in operating systems like Windows. It's something that you really wouldn't want to have fall into the wrong hands lest your name end up being prominently displayed prior to the installation of malware.
We assume that bridges won't collapse, planes won't fall out of the sky. Engineers are supposed to build things that are safe to use. That's a reasonable expectation.
Because they are chargers. My 2015 Macbook charger is not vulnerable, my 2016 Macbook charger could be. It's not reasonable to assume that end users intuitively get that.
How is the regular guy supposed to figure out if a USB device is OK or not? I guess the easy answer is to say "Don't use an unknown device" but I don't think this is practical especially in the case of a charger.
It's like the constant battle with our IT department to get and keep admin privileges on our machines. Yes, this can cause a problem but we need admin rights to do our job.
Within the context of USB Power Delivery , it needs more than simple power and ground to actually work. While it’s theoretically possible to make such a device that would determine which device is the source and sink, determine voltages and charge rates, then smartly select one and begin charging without the devices directly communicating, no such off-the-shelf device currently exists as far as I’m aware. You basically want a USB PD firewall that would only allow commands relevant to changing through, or have it generate synthetic responses that would e.g. never allow it to expose things like a mass storage interface. You might also need drivers depending on how you implement it. It would be a cool project / crowdsupply / Kickstarter though.
Right now, USB-C is only just starting to get past the “which cables will physically harm my device with a given charger even though they plug in correctly” phase.
In the case of a charger, you must always use a charge-stop adapter if you’re charging from a public charger. They’re cheap and a couple offer bulk discounts to companies.
> How is the regular guy supposed to figure out if a USB device is OK or not?
If you are not absolutely sure it's OK, then it's not. Pack your own chargers, use a "USB condom" or a power-only cable. If the charger has a cable that can't be removed, use it to charge a trusted battery, then charge your phone from it. Don't trust any smart battery, BTW.
Journalist covering summits like this are not regular guys and should receive opsec training before any such assignment.
When working on the Brazilian electronic ballot, I had two computers: one that was connected to the corporate network where I could read and write e-mails, and another I could manage (so I could run Visual Studio's debugger), that was on a completely different network, in front and behind some of the most aggressive firewalls I've ever seen.
"How is the regular guy supposed to figure out if a USB device is OK or not? I guess the easy answer is to say "Don't use an unknown device" but I don't think this is practical especially in the case of a charger."
I use a "USB Condom". My current USB Condom is this one:
In fact, I sometimes even use it with my own, trusted, devices. For instance, I don't want my macbook itunes to know about my iphone so when I charge from my own laptop, I use the "condom".
Makes me wonder why manufacturers don't have a USB permission scheme like they have for apps. It would be nice to give a USB device only certain permissions like charging.
USB still involves software, and the code that runs the USB interface is invisible to the host computer. You have no way to verify that the cable or USB condom is not hosting malicious code.
I mean if the USB host device itself has specialized USB hardware that can lock the ports in power only until they're fully enabled by the OS, then you'd be in a better position.
Either that or a tiny switch beside each port to enable/disable the neutering feature.
Hey, I'm sorry to hijack this. Is there a way to contact you about rsync.net? Support hasn't replied for a week, Twitter seems unmonitored - don't know any other way but this right here.
One easy answer is to give people an "appliance"/task-specific computer instead of a general purpose computer. So the computer is essentially just a hypervisor that loads the appropriate appliance which only allows them to do specific tasks - one for banking, one for email, one for writing documents, one for browsing, one for gaming, etc.
So at a meeting between the US and North Korea, somebody is handing out a free USB device, but only to people with credentials. Call me crazy, but I would never accept that Trojan horse...uh...I mean gift.
The number of people who will receive one of these who know that there are data pins in USB or which pins are the data pins would be exceedingly small.
Plus, there does not need to be a data connection for the powering of these devices to present a security issue. It could just need power to run a microphone or GPS.
Is there any kind of serial dongle that way to filter out on necessary comm circuits and simply provide power, they say just a pass-through to block the data portion of USB
Edit - note, this isn't properly secure! Please screen your devices properly and consult your organisation's security team/local tinfoil hat wearer, or educate yourself about side-channel attacks, monitoring, and the history of surveillance devices.
I mean not necessarily, although it stops data access to your computer you're still powering a device close to your computer which could have sniffer/camera/microphone
Very true! There's also potential side-channel attacks regarding noise in the power supply (example: https://arxiv.org/pdf/1801.00932.pdf), so it's definitely not a guarantee of safety.
Best to open it up for inspection, then destroy it. There's not a lot of room inside the body, by the looks of it, but there could still be plenty of fun stuff hidden in there anyway.
Thinking logically though: due to the public nature of the release, it might actually just be a fan..
free usb device? only Trump admin would be dumb enough to fall for this. Imagine one of these back it to AirForce1 or God forbid the White House. Fucking idiots.
The USB trojan connects back to the command and control server and waits to be instructed to spray VX nerve gas into the fan. A refreshing cool breeze of remote death.
That's not to say it's definitely not malicious, and I certainly wouldn't be plugging it into my phone. But it is Singapore, where it is hot, so I do understand the rational of giving fans to the journos.
I suspect that the person in charge of the decision didn't consider the fact that USB fans are a possible attack vector.
I think that some readers here have been reading too much Frederick Forsyth or Tom Clancy, with these ideas about baiting and switching and bribing hotel employees.
93 comments
[ 3.3 ms ] story [ 55.7 ms ] threadWho handed these out? And what are the odds that any free USB device contains malware or spyware of some sort?
https://www.nytimes.com/2018/06/07/us/politics/times-reporte...
https://www.jpost.com/Middle-East/PA-arrests-five-Pal-journa...
https://cpj.org/2017/08/palestinian-security-forces-arrest-f...
A reasonable security assessment of this device could be done in two minutes. It would take longer to take pictures of the disassembly and post the pics on twitter.
If you're wondering what the 'state of the art' in disguising components to look like other components is, this [1] is probably the best example. It's a guy that turned a LED into an LED and an inductor, and put transistors inside of switches.
What you're proposing -- basically putting a USB-capable microcontroller inside something that looks like resistor -- isn't impossible. I can imagine that it could be done, but I would have no idea how. You would probably go with a very small (physically) microcontroller, maybe one of the SOT-23-6 PIC or AVR packages. I don't think it's possible to write a USB stack for those, and you only have 1-2kB to implement a BadUSB [2] sort of thing. It might be possible, but I doubt it. Still, that size of package could be disguised as a (large) SMD resistor, although the PCB would look odd with the addition of extra traces.
To be honest, it really wouldn't make sense to disguise a microcontroller as passive components. It's already been demonstrated journalists will gladly plug random USB devices into their computer. If you wanted the device to just pass a cursory investigation, you'd just put a glob of black epoxy over the USB port. Hiding a microcontroller as a pair of resistors might be possible, but it's far more effort than what is really needed.
[1] https://www.youtube.com/watch?&v=RkTvDjhImwo
[2] https://opensource.srlabs.de/projects/badusb
Why would anyone assume otherwise?
I worked in various security positions at one of the US's biggest ISPs and routinely brought these sorts of things up to family members. I am embarrassed by the kinds of practices my family employs. The excuses vary but most of them fall along the lines of the same excuses smokers give when asked about lung cancer risks: "It Won't Happen to Me(tm)".
Even within our industry, bad practices exist all over the place. An example I often point to is Code Signing certificates[2] -- I went through the trouble of generating a CSR offline using a Linux live CD, backed up the private key to an encrypted thumb drive and placed the result on a Yubikey to protect it when I need to sign something. The best part was sorting out how to actually give the CSR to the CA I used to purchase the key from. They offer all kinds of convenient, (IE and Firefox-only) in-browser mechanisms which result in generating the key online in a potentially already-compromised machine, but I ended up having to go through several steps using phone support to get my CSR to the CA. The way they did things encourages people to not think about protecting the private key; simply leaving it on an unencrypted volume with (likely) no other encryption used to protect the key.
[0] https://thenextweb.com/insider/2011/06/28/us-govt-plant-usb-... And these are specifically the kinds of people that should expect to be targets of an attack like this.
[1] https://digitalguardian.com/blog/uncovering-password-habits-...
[2] I mention this kind of certificate because its credentials are such that an individual or company is named -- it's meant to identify a person or a legal entity, not a domain name -- and things signed with it result in that legal entity or person's legal name being displayed on launch in operating systems like Windows. It's something that you really wouldn't want to have fall into the wrong hands lest your name end up being prominently displayed prior to the installation of malware.
After all, when was the last time your power drill caught a virus from your extension cord?
It's like the constant battle with our IT department to get and keep admin privileges on our machines. Yes, this can cause a problem but we need admin rights to do our job.
More info: http://www.usb.org/developers/powerdelivery/
Right now, USB-C is only just starting to get past the “which cables will physically harm my device with a given charger even though they plug in correctly” phase.
If you are not absolutely sure it's OK, then it's not. Pack your own chargers, use a "USB condom" or a power-only cable. If the charger has a cable that can't be removed, use it to charge a trusted battery, then charge your phone from it. Don't trust any smart battery, BTW.
Journalist covering summits like this are not regular guys and should receive opsec training before any such assignment.
When working on the Brazilian electronic ballot, I had two computers: one that was connected to the corporate network where I could read and write e-mails, and another I could manage (so I could run Visual Studio's debugger), that was on a completely different network, in front and behind some of the most aggressive firewalls I've ever seen.
I use a "USB Condom". My current USB Condom is this one:
https://www.amazon.com/PortaPow-Data-Blocker-Adaptor-SmartCh...
In fact, I sometimes even use it with my own, trusted, devices. For instance, I don't want my macbook itunes to know about my iphone so when I charge from my own laptop, I use the "condom".
I'm sure these exist for USB-C...
Of course this would require cryptography to do properly so it'll never, ever happen.
Either that or a tiny switch beside each port to enable/disable the neutering feature.
[1] https://en.wikipedia.org/wiki/The_Thing_(listening_device)
[1] https://www.theguardian.com/artanddesign/shortcuts/2015/mar/...
Plus, there does not need to be a data connection for the powering of these devices to present a security issue. It could just need power to run a microphone or GPS.
As a targeted attack it makes sense. Still you would have to muffle the sound of the fan.
http://syncstop.com/
http://portablepowersupplies.co.uk/home/portapow-data-blocke...
Edit - note, this isn't properly secure! Please screen your devices properly and consult your organisation's security team/local tinfoil hat wearer, or educate yourself about side-channel attacks, monitoring, and the history of surveillance devices.
Best to open it up for inspection, then destroy it. There's not a lot of room inside the body, by the looks of it, but there could still be plenty of fun stuff hidden in there anyway.
Thinking logically though: due to the public nature of the release, it might actually just be a fan..
That's not to say it's definitely not malicious, and I certainly wouldn't be plugging it into my phone. But it is Singapore, where it is hot, so I do understand the rational of giving fans to the journos.
I suspect that the person in charge of the decision didn't consider the fact that USB fans are a possible attack vector.
I think that some readers here have been reading too much Frederick Forsyth or Tom Clancy, with these ideas about baiting and switching and bribing hotel employees.