I'm surprised they didn't disassemble the fan proper- while it's not useful as a USB spy device, if we're going to go full paranoia, those lines could still be powering something in the fan chassis itself.
You could fit an entire array of mics, sensors and radios inside the fan that are powered by the USB port. No need to connect to the laptop to record and broadcast info.
To me, it looked like the plastic molding was oversized for the circuitry inside, which makes me think there may be variants of these fans. This was the `NOP` variant while perhaps others have `malware drop`, `GPS beacon`, `audio capture` or some other capabilities added inside the same chassis with maximum ease.
Of course all of this is entirely speculative. Maybe this design was cheaper to produce or simply shown to be sturdier compared to a smaller alternative.
It could even be that they had an earlier circuitry design that was slightly larger and then they realized it could be simplified but at that point that had ordered the chassis.
Not really. There was a microphone inside a gift that was in the oval office given by the Soviets, which broadcasted info for many years. They called it "the thing".
That was my thought as well - No visible connection on the surface of a PCB does not prove there is no connection on a pin, only that there is no connection on the surface.
Multilayer PCBs are commonplace, and a stealthy version which does not show the layers at the edge of the board and encapsulates ICs is not a stretch.
All that said I agree with the sentiment in other posts here that this attack vector is so obvious that the likelihood is higher that this is simple trolling. Then again, that kind of 'discovery' trolling also provides signals intelligence, of a kind, in observing the reactions to it.
The meme of infected usb sticks in the parking lot is so old and known by everybody and their grandma, that only a prankster would really do it, with a parody screensaver virus.
A serious secret service would use more up to date methods.
Take something super banal (a mobile fan), give it a blindingly obvious hacker-y feature (USB connectivity), and distribute them among visitors from an adversarial country (the U.S.), and you're going to be hard-pressed to find someone who isn't at least the tiniest bit suspicious,
This is so entirely Spy Device 101 that the payload is likely just entertainment for DPRK officials– watching everyone stress out and tear it apart looking for something malicious.
And that, in and of itself, is pretty damn twisted.
I'm not sure I would call it twisted - it's humorous to watch, but not particularly malicious, and if there are truly no devices in any of the fans it could even be construed as a gesture of good faith.
Just for the sake of curiosity, wouldn't it be possible to embed some sort of self-contained microdevice inside the motor? A USB "rubber-ducky" type device is kind of expected, piggybacking something else off the USB would be kind of interesting. Cheap throwaways like this wouldn't make sense target-wise, but it's fun to think about.
Would the magnets in the motor interfere significantly with radio transmissions? Not that it would preclude devices being housed inside either way, just introduce complications.
That is the reason you have an X-ray to vet electronics before allowing them into secure areas (with potentially secret sound and generic em-waves (from 200nm to 300000km aka 300Mm)). If you don't have that already, you don't have that much physical security...
Jokes aside. My guess would be that it is highly unlikely a half decent secret service would use such a method to spread a virus or a trojan. On the other hand, I would also guess that no serious journalist will contemplate using a free device provided by a rogue nation just in case.
> On the other hand, I would also guess that no serious journalist will contemplate using a free device provided by a rogue nation just in case.
I disagree. While tech-minded journalists may be aware of the risks of untrusted USB devices, the same cannot be expected of everyone; even if they know that USB drives are potentially dangerous (already a crapshoot, even in some tech-related jobs), people unfamiliar with computers may not realize that the same risks apply to all USB-powered devices.
”VCONN pin is connected to VBUS via a resistor. There are also diodes on the board”
A truly paranoid analyst would check that these things that look like a resistor or diode actually are resistors and diodes. That may not be easy, as they could contain a tiny cpu and a few bits of flash memory that change the behavior from “resistor” to something else after x power ups or, using an on-board real-time clock, at a given date, or that run in parallel to the resistor or diode. A simple RFID chip already could be somewhat of use to spies.
Even simpler, that “resistor” could contain a tiny microphone and a radio transmitter (getting reasonable audio quality and reasonable radio range likely would be a challenge, but that’s what big budgets are for).
I used to think things like these were fun conspiracy theories for a slow afternoon. I remember seeing a guy who got Linux running on a spare ARM CPU on his SATA hard drive,
thinking "that'd be a great place for a rootkit".
But didn't think much further of it as that can be a dark rabbithole to go down. Then Snowden leaks came out, and it turned out technology was an active, hostile and full scale warzone.
These are not unreasonable thoughts to have now. Even if you prove one of these fans is safe, it does not prove that an individual has not been targeted with a fan with a payload.
Exactly. That's a fantastic tactic. Give out a thousand fans and have only 9 or 10 of them be compromised. A safe fan gets torn down by security researchers and declared vanilla, and those 9 or 10 targets believe their fans are safe to use.
Or even just fake the analysis outright. North Korea having someone at Cambridge, or at least being able to feed them a benign variant via an unnamed journalist, is not out of the question.
Yes. This is obvious but also counterintuitive. People forget that it's a long game and that malware (such as Stuxnet) is patient and penetrates gradually.
If you're a government operation trying to bug an electronic device, chances are you're certainly not going to have your bug revealed by a simple teardown like this. I've heard rumors of certain cases where current fluctuations in the VBUS rail caused by certain peripherals can be used to compromise the USB controller. Additionally, embedded components can be placed between PCB layers, making it essentially appear "invisible" without using an x-ray system.
I ordered some 2 pin RGB LEDs a few years back. They change color over time via some built in IC, but the crazy thing is that the IC is so small that you can't even see it. And it all fits nicely within a standard LED. I would imagine someone could even fit a similar IC within the traces of a circuit board and nobody would be able to tell.
All of the puzzles Henryk Gasperowicz makes are this sort of thing. They're fun to try to figure out even if you know the basic idea, as they're pretty much all analog circuits. EG: https://www.youtube.com/watch?v=WvXKSSmItls
The bit inside the 9 volt connector isn't really logic. The flip-flops and Schmitt trigger gates are just to generate square waves at 3 different frequencies. There's also a small power supply to drop the 9V down to 6.2V for the input of that, some comparators, and a bit of filtering.
The LEDs contain LC filters, tuned such that they'll light (visibly) when the appropriate frequency is applied. Touching the wire in different places creates a different parasitic load, which is detected by one of the comparators. That comparator then toggles the clock generator for the appropriate frequency, turning that LED off or on.
As with all of his circuits it's a brilliantly simple idea implemented in a ridiculously constrained space.
What I like is how it breaks down the model that most people had. Models simplify, but they also constrain and we need to always be cognizant of where the model stops.
Some people over train in model-space and are unable to make thoughts that occur outside of that universe.
This video of "Inside the RFID Stickers from a Chinese Cashier-less Store" (around 9:20 and again at 12:20) was a real eye-opener to me: https://www.youtube.com/watch?v=0QKrHi-G9WQ
You're absolutely right that it would be almost impossible to detect a malicious device in one of those components. But a few things come to mind:
1. If you're that paranoid, don't plug stuff in to your USB ports EVER.
2. If you're going to put a malicious device in this thing, connecting it to VConn isn't a good idea - since you'd have to be hoping that whatever you've plugged into is insecure at a hardware level in quite a specific way that there's no evidence of.
3. There seem to be easier ways to hack visitors to singapore - like getting physical access to their laptop.
> 3. There seem to be easier ways to hack visitors to singapore - like getting physical access to their laptop.
In the US, it's as easy as Customs giving you a choice: 1) sit in a room indefinitely or 2) let them take your device into another room for an hour or so. Definitely a case of this: https://www.xkcd.com/538/
I've zero intention of ever visiting the US (partially because of shit they pull like your post) however if for some (incredibly unlikely) reason it's absolutely unavoidable I'll not be taking any electronics with me at all or taking something cheap and cleanslate that will be binned when I get back - essentially I treat the US as having the same threat model to visitors as China - well done whoever thought up those policies.
> 1. If you're that paranoid, don't plug stuff in to your USB ports EVER.
If you''re that paranoid then is any consumer hardware safe these days? Almost undetectable hardware could be slipped into to just about any device and they're mostly manufactured in a country hostile to personal freedom or countries under their influence.
The future is probably riscv style open hardware but that will need to be combined with local fabrication facilities.
But a resistor or doide only have two connectors. How could one possibly hide a tiny CPU or RFID chip inside with only those connectors? Two connectors would be the minimum to just power the chip up.
"One distinctive feature of the bus is the possibility of using only two wires: data and ground. To accomplish this, 1-Wire devices include an 800 pF capacitor to store charge and power the device during periods when the data line is active."
You can buy devices that put an entire JVM inside a two-terminal component, of similar physical size.
Journalists have sources that the spy organization would very much like to learn the name of. If you're going to come down hard on leaking, bugging journalists or compromising their phones is the most logical thing to do. The reporter that gave up the fan for analysis was absolutely right to be paranoid here.
This. There's plenty of space to overmold a chip embedded in the USB-C connector itself, and such a device would naturally open-circuit the data pins when powered off (defeating the multimeter test).
This "analysis" is so superficial that I thought it was a joke at first. At the very least the device should be completely disassembled and/or X-rayed.
The going theory at the time was that they only bugged some percent of them in the hopes that someone would publish an analysis exactly like this and then everyone else would plug them in freely.
Before clicking the link I took a moment to think about how I’d design such a device for nefarious purposes, hoping that the author ought to be able to defeat whatever a mere hobbyist could come up with.
It would appear I’d make a better spy than the author would make a security analyst.
Penn Jilette has given interviews on what mindset is needed to trick people. One basic rule is that people will gravely underestimate the lengths he is willing to go to in order to trick the audience.
I’m not saying this is a spying device. I am merely pointing out that the author shed no light on whether it is.
That only helps if the spy equipment needs more than power from the USB port. It doesn't need a data connection if it's picking up RF noise from the laptop and audio from people to transmit to nearby agents.
There's a lot of hysteria surrounding these freebie swag items, enough that you have to wonder if either exactly this sort of reaction was expected, and their laughing at exactly the expected level of fear and paranoia produced at the mere sight of a USB jack... or... they could only but roll their eyes, as they dropped a USB device into the mix out of curiosity to see if there would be any reaction at all, expecting possibly a muted, cool brush off, unconcerned about exploits, and instead caught ten or one hundred times the wave of hysteria, for something they might have internally estimated would be rated as being perceived as a mild security hazard.
Seriously, this has all the alarmist fear mongering of the Cuban embassy sonic weapon mystery, but none of the smoking gun who-dunnit clues.
People are going to be chasing their tails on this one, wondering if the fan rotors spin at resonating speeds to give off infra-sonic beam-forming geolocation signals, and that's after they sample scrapings from 1000 different components in a gas chromatograph mass spectrometer only to find that they were some standard chinese USB components, purchased in bulk orders months ago, but had arrived too late for Olympics swag and were basically left-overs.
It's funny, but I think the volume of this knee-jerk reaction caused more damage than an actual attack could have.
If North Korea was going to try and swindle it's way onto targeted USB interfaces, I'd have to imagine that they'd attempt a level of indirection (at least one), and launder the swag through a secondary shell entity, like some shady third-world press corps gadfly to the event.
If they hadn't thought of that before (even though I'm sure they already do think that way), this hair-on-fire reaction has certainly taught them to do so, unconditionally, going forward.
Each device emits a specific RF signature when turned on. Nothing more. The Red Team then knows which journalists are susceptible to these kinds of attacks and will use this information later.
87 comments
[ 1.4 ms ] story [ 151 ms ] threadPretty unlikely though.
Of course all of this is entirely speculative. Maybe this design was cheaper to produce or simply shown to be sturdier compared to a smaller alternative.
It could even be that they had an earlier circuitry design that was slightly larger and then they realized it could be simplified but at that point that had ordered the chassis.
Multilayer PCBs are commonplace, and a stealthy version which does not show the layers at the edge of the board and encapsulates ICs is not a stretch.
All that said I agree with the sentiment in other posts here that this attack vector is so obvious that the likelihood is higher that this is simple trolling. Then again, that kind of 'discovery' trolling also provides signals intelligence, of a kind, in observing the reactions to it.
A serious secret service would use more up to date methods.
I, for one, appreciate the show.
It was most likely some organiser just organising swag for the conference, who didn't think about the implications because they weren't aware of them.
Never attribute to malice that which is adequately explained by stupidity (well, ignorance in this case).
Why would the North Koreans go through the trouble of buying a bunch of fans on Aliexpress just to make some security people freak out?
Jokes aside. My guess would be that it is highly unlikely a half decent secret service would use such a method to spread a virus or a trojan. On the other hand, I would also guess that no serious journalist will contemplate using a free device provided by a rogue nation just in case.
I disagree. While tech-minded journalists may be aware of the risks of untrusted USB devices, the same cannot be expected of everyone; even if they know that USB drives are potentially dangerous (already a crapshoot, even in some tech-related jobs), people unfamiliar with computers may not realize that the same risks apply to all USB-powered devices.
It's possible he put the date on which he plans to more formally publish or present it.
A truly paranoid analyst would check that these things that look like a resistor or diode actually are resistors and diodes. That may not be easy, as they could contain a tiny cpu and a few bits of flash memory that change the behavior from “resistor” to something else after x power ups or, using an on-board real-time clock, at a given date, or that run in parallel to the resistor or diode. A simple RFID chip already could be somewhat of use to spies.
Even simpler, that “resistor” could contain a tiny microphone and a radio transmitter (getting reasonable audio quality and reasonable radio range likely would be a challenge, but that’s what big budgets are for).
But didn't think much further of it as that can be a dark rabbithole to go down. Then Snowden leaks came out, and it turned out technology was an active, hostile and full scale warzone.
These are not unreasonable thoughts to have now. Even if you prove one of these fans is safe, it does not prove that an individual has not been targeted with a fan with a payload.
Also, don't discount the entire circuit being the bug. https://en.wikipedia.org/wiki/The_Thing_%28listening_device%...
"Russia spied on foreign powers at last month’s G20 summit by giving delegations USB pen drives capable of downloading sensitive information from laptops" - https://www.telegraph.co.uk/news/worldnews/europe/russia/104...
Does he ever explain how the tricks work?
Here is the schematic for the 3LEDs & 0 switches video liked by GP - https://plus.google.com/photos/116398424278304767741/album/5...
I don't understand the electronics, but the logic is hidden inside the 9 volt battery connector.
The LEDs contain LC filters, tuned such that they'll light (visibly) when the appropriate frequency is applied. Touching the wire in different places creates a different parasitic load, which is detected by one of the comparators. That comparator then toggles the clock generator for the appropriate frequency, turning that LED off or on.
As with all of his circuits it's a brilliantly simple idea implemented in a ridiculously constrained space.
Some people over train in model-space and are unable to make thoughts that occur outside of that universe.
They weren't really unreasonable thoughts to have back then, they may have just seemed unreasonable.
1. If you're that paranoid, don't plug stuff in to your USB ports EVER.
2. If you're going to put a malicious device in this thing, connecting it to VConn isn't a good idea - since you'd have to be hoping that whatever you've plugged into is insecure at a hardware level in quite a specific way that there's no evidence of.
3. There seem to be easier ways to hack visitors to singapore - like getting physical access to their laptop.
In the US, it's as easy as Customs giving you a choice: 1) sit in a room indefinitely or 2) let them take your device into another room for an hour or so. Definitely a case of this: https://www.xkcd.com/538/
If you''re that paranoid then is any consumer hardware safe these days? Almost undetectable hardware could be slipped into to just about any device and they're mostly manufactured in a country hostile to personal freedom or countries under their influence.
The future is probably riscv style open hardware but that will need to be combined with local fabrication facilities.
The big question is whether RISC-V is open enough for such purposes.
"One distinctive feature of the bus is the possibility of using only two wires: data and ground. To accomplish this, 1-Wire devices include an 800 pF capacitor to store charge and power the device during periods when the data line is active."
You can buy devices that put an entire JVM inside a two-terminal component, of similar physical size.
This "analysis" is so superficial that I thought it was a joke at first. At the very least the device should be completely disassembled and/or X-rayed.
https://hackaday.com/2015/12/08/theremins-bug/
The moving fan motor could act a simple microphone.
Having done security for many years, especially user security, I can say with certainty that some people are this dumb.
It would appear I’d make a better spy than the author would make a security analyst.
Penn Jilette has given interviews on what mindset is needed to trick people. One basic rule is that people will gravely underestimate the lengths he is willing to go to in order to trick the audience.
I’m not saying this is a spying device. I am merely pointing out that the author shed no light on whether it is.
For your entertainment: https://youtu.be/WvXKSSmItls
Supply journalists with harmless USB devices. Then pass around a fully weaponised PDF.
For the those that think malware in PDF's are history, here's a link to 2 zero days found just this march.
https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/...
It was done in the '80s with much less advanced technology: http://www.cryptomuseum.com/covert/bugs/selectric/
Seriously, this has all the alarmist fear mongering of the Cuban embassy sonic weapon mystery, but none of the smoking gun who-dunnit clues.
People are going to be chasing their tails on this one, wondering if the fan rotors spin at resonating speeds to give off infra-sonic beam-forming geolocation signals, and that's after they sample scrapings from 1000 different components in a gas chromatograph mass spectrometer only to find that they were some standard chinese USB components, purchased in bulk orders months ago, but had arrived too late for Olympics swag and were basically left-overs.
It's funny, but I think the volume of this knee-jerk reaction caused more damage than an actual attack could have.
If North Korea was going to try and swindle it's way onto targeted USB interfaces, I'd have to imagine that they'd attempt a level of indirection (at least one), and launder the swag through a secondary shell entity, like some shady third-world press corps gadfly to the event.
If they hadn't thought of that before (even though I'm sure they already do think that way), this hair-on-fire reaction has certainly taught them to do so, unconditionally, going forward.
What about inside PCB, motor stator, USB connector, etc. Must be some example of Cambridge on how to NOT to do anything..