
Analysis of USB fan given to journalists at North Korea-Singapore Summit [pdf] - danso
http://www.cl.cam.ac.uk/~sps32/usb_fan_report.pdf
======
Someone
_”VCONN pin is connected to VBUS via a resistor. There are also diodes on the
board”_

A truly paranoid analyst would check that these things that look like a
resistor or diode actually are resistors and diodes. That may not be easy, as
they could contain a tiny cpu and a few bits of flash memory that change the
behavior from “resistor” to something else after x power ups or, using an on-
board real-time clock, at a given date, or that run in parallel to the
resistor or diode. A simple RFID chip already could be somewhat of use to
spies.

Even simpler, that “resistor” could contain a tiny microphone and a radio
transmitter (getting reasonable audio quality and reasonable radio range
likely would be a challenge, but that’s what big budgets are for).

~~~
spitfire
I used to think things like these were fun conspiracy theories for a slow
afternoon. I remember seeing a guy who got Linux running on a spare ARM CPU on
his SATA hard drive, thinking "that'd be a great place for a rootkit".

But didn't think much further of it as that can be a dark rabbithole to go
down. Then Snowden leaks came out, and it turned out technology was an active,
hostile and full scale warzone.

These are not unreasonable thoughts to have now. Even if you prove one of
these fans is safe, it does not prove that an individual has not been targeted
with a fan with a payload.

Also, don't discount the entire circuit being the bug.
[https://en.wikipedia.org/wiki/The_Thing_%28listening_device%...](https://en.wikipedia.org/wiki/The_Thing_%28listening_device%29)

~~~
lainga
Exactly. That's a fantastic tactic. Give out a thousand fans and have only 9
or 10 of them be compromised. A safe fan gets torn down by security
researchers and declared vanilla, and those 9 or 10 targets believe their fans
are safe to use.

~~~
stordoff
Or even just fake the analysis outright. North Korea having someone at
Cambridge, or at least being able to feed them a benign variant via an unnamed
journalist, is not out of the question.

~~~
brian-armstrong
We can probably rule this out since the paper doesn’t conclude that North
Korea is #1 and Bless Dear Leader

~~~
lainga
The workers' effort of dismantling the fan promoted the mass line
consciousness and building of a vigorous cadre feeling in the whole army.

------
bananadonkey
How about we go full meta and suspect the linked PDF is the malicious payload
vector?

~~~
jeffalyanak
I'm glad someone is going full Hari Seldon on this.

~~~
vinchuco
It's not necessarily science fiction.

------
jedberg
The going theory at the time was that they only bugged some percent of them in
the hopes that someone would publish an analysis exactly like this and then
everyone else would plug them in freely.

~~~
blhack
The idea that somebody has been waiting around to plug in a $0.50 fan until a
security researcher did a tear down is absolutly absurd.

~~~
jedberg
They weren't waiting around, but the idea is that they would just hear it
through the rumor mill and then decide, "oh hey I guess I can plug this in".

Having done security for many years, especially user security, I can say with
certainty that some people are this dumb.

------
SketchySeaBeast
I'm surprised they didn't disassemble the fan proper- while it's not useful as
a USB spy device, if we're going to go full paranoia, those lines could still
be powering something in the fan chassis itself.

~~~
21
Did you look at the picture? The lines are not connected at all.

~~~
albertgoeswoof
You could fit an entire array of mics, sensors and radios inside the fan that
are powered by the USB port. No need to connect to the laptop to record and
broadcast info.

Pretty unlikely though.

~~~
unixhero
Not really. There was a microphone inside a gift that was in the oval office
given by the Soviets, which broadcasted info for many years. They called it
"the thing".

~~~
sitkack
And the microphone was just the diaphragm that a microwave beam was bounced
off of. The device itself was entirely passive.

------
bandwitch
Nice, an analysis from the future :)

Jokes aside. My guess would be that it is highly unlikely a half decent secret
service would use such a method to spread a virus or a trojan. On the other
hand, I would also guess that no serious journalist will contemplate using a
free device provided by a rogue nation just in case.

~~~
larkeith
> On the other hand, I would also guess that no serious journalist will
> contemplate using a free device provided by a rogue nation just in case.

I disagree. While tech-minded journalists may be aware of the risks of
untrusted USB devices, the same cannot be expected of everyone; even if they
know that USB drives are potentially dangerous (already a crapshoot, even in
some tech-related jobs), people unfamiliar with computers may not realize that
the same risks apply to all USB-powered devices.

------
hymen0ptera
There's a lot of hysteria surrounding these freebie swag items, enough that
you have to wonder if either exactly this sort of reaction was expected, and
their laughing at exactly the expected level of fear and paranoia produced at
the mere sight of a USB jack... or... they could only but roll their eyes, as
they dropped a USB device into the mix out of curiosity to see if there would
be any reaction at all, expecting possibly a muted, cool brush off,
unconcerned about exploits, and instead caught ten or one hundred times the
wave of hysteria, for something they might have internally estimated would be
rated as being perceived as a mild security hazard.

Seriously, this has all the alarmist fear mongering of the Cuban embassy sonic
weapon mystery, but none of the smoking gun who-dunnit clues.

People are going to be chasing their tails on this one, wondering if the fan
rotors spin at resonating speeds to give off infra-sonic beam-forming
geolocation signals, and that's after they sample scrapings from 1000
different components in a gas chromatograph mass spectrometer only to find
that they were some standard chinese USB components, purchased in bulk orders
months ago, but had arrived too late for Olympics swag and were basically
left-overs.

It's funny, but I think the volume of this knee-jerk reaction caused more
damage than an actual attack could have.

If North Korea was going to try and swindle it's way onto targeted USB
interfaces, I'd have to imagine that they'd attempt a level of indirection (at
least one), and launder the swag through a secondary shell entity, like some
shady third-world press corps gadfly to the event.

If they hadn't thought of that before (even though I'm sure they already do
think that way), this hair-on-fire reaction has certainly taught them to do
so, unconditionally, going forward.

------
danso
Context here: [https://www.zdnet.com/article/usb-fan-given-out-at-trump-
kim...](https://www.zdnet.com/article/usb-fan-given-out-at-trump-kim-summit-
deemed-safe/)

------
bborud
Before clicking the link I took a moment to think about how I’d design such a
device for nefarious purposes, hoping that the author ought to be able to
defeat whatever a mere hobbyist could come up with.

It would appear I’d make a better spy than the author would make a security
analyst.

Penn Jilette has given interviews on what mindset is needed to trick people.
One basic rule is that people will gravely underestimate the lengths he is
willing to go to in order to trick the audience.

I’m not saying this is a spying device. I am merely pointing out that the
author shed no light on whether it is.

For your entertainment:
[https://youtu.be/WvXKSSmItls](https://youtu.be/WvXKSSmItls)

~~~
baby
Your comment doesn’t explain how you tricked the analyst so I downvoted you.

------
kqr2
Perhaps the bug can only be activated by an external source, e.g. Theremin's
bug :

[https://hackaday.com/2015/12/08/theremins-
bug/](https://hackaday.com/2015/12/08/theremins-bug/)

The moving fan motor could act a simple microphone.

------
pocketstar
A malicious chip inside the USB-C connector with pass through power to the fan
seems reasonable.

~~~
schiffern
This. There's plenty of space to overmold a chip embedded in the USB-C
connector itself, and such a device would naturally open-circuit the data pins
when powered off (defeating the multimeter test).

This "analysis" is so superficial that I thought it was a joke at first. At
the very least the device should be completely disassembled and/or X-rayed.

------
BooneJS
These usb cables with data switches need to become more commonplace.
[https://www.adafruit.com/product/3438](https://www.adafruit.com/product/3438)

~~~
rainbowmverse
That only helps if the spy equipment needs more than power from the USB port.
It doesn't need a data connection if it's picking up RF noise from the laptop
and audio from people to transmit to nearby agents.

It was done in the '80s with much less advanced technology:
[http://www.cryptomuseum.com/covert/bugs/selectric/](http://www.cryptomuseum.com/covert/bugs/selectric/)

------
zyztem
Surprised to see USB-C connector. Has it gone mainstream all the way in place
of Type-A?

~~~
solarkraft
Not yet, but we're going there.

------
joemaller1
Just for the sake of curiosity, wouldn't it be possible to embed some sort of
self-contained microdevice inside the motor? A USB "rubber-ducky" type device
is kind of expected, piggybacking something else off the USB would be kind of
interesting. Cheap throwaways like this wouldn't make sense target-wise, but
it's fun to think about.

~~~
namibj
That is the reason you have an X-ray to vet electronics before allowing them
into secure areas (with potentially secret sound and generic em-waves (from
200nm to 300000km aka 300Mm)). If you don't have that already, you don't have
that much physical security...

------
jaxondu
Just curious why would a nation secret service organisation spy on
journalists? They are not delegates of the summit.

~~~
jrockway
Journalists have sources that the spy organization would very much like to
learn the name of. If you're going to come down hard on leaking, bugging
journalists or compromising their phones is the most logical thing to do. The
reporter that gave up the fan for analysis was absolutely right to be paranoid
here.

------
sitkack
Each device emits a specific RF signature when turned on. Nothing more. The
Red Team then knows which journalists are susceptible to these kinds of
attacks and will use this information later.

------
21
The meme of infected usb sticks in the parking lot is so old and known by
everybody and their grandma, that only a prankster would really do it, with a
parody screensaver virus.

A serious secret service would use more up to date methods.

~~~
countbackula
Take something super banal (a mobile fan), give it a blindingly obvious
hacker-y feature (USB connectivity), and distribute them among visitors from
an adversarial country (the U.S.), and you're going to be hard-pressed to find
someone who isn't at least the tiniest bit suspicious, This is so entirely Spy
Device 101 that the payload is likely just entertainment for DPRK officials–
watching everyone stress out and tear it apart looking for something
malicious. And that, in and of itself, is pretty damn twisted.

~~~
larkeith
I'm not sure I would call it twisted - it's humorous to watch, but not
particularly malicious, and if there are truly no devices in _any_ of the fans
it could even be construed as a gesture of good faith.

I, for one, appreciate the show.

------
agumonkey
What a quick read..

------
canada_dry
Whoa! That had all the suspense of a Geraldo Rivera special. /s

------
barrystaes
Flagged because not worthy of the frontpage.

What about inside PCB, motor stator, USB connector, etc. Must be some example
of Cambridge on how to NOT to do anything..

------
jaredlightman
Someone should do an analysis of that pdf to see if anything is embedded in
that.

