Hacker News new | comments | show | ask | jobs | submit login
“All accredited journalists at the #KimTrumpSummit get a free USB fan.” (twitter.com)
189 points by pavel_lishin 3 months ago | hide | past | web | favorite | 92 comments

So at a meeting between the US and North Korea, somebody is handing out a free USB device, but only to people with credentials. Call me crazy, but I would never accept that Trojan horse...uh...I mean gift.

You should accept it to avoid attracting attention. You can get rid of it later.

Or ask a computer security expert to examine it. If the USB fans have spyware, that would be a big news story!

I'd accept it and dissect it.

It could be much more than just a USB stick. Think about LTE, GPS, microphone. Or something passive [1]

[1] https://en.wikipedia.org/wiki/The_Thing_(listening_device)

There's an art project where USB sticks stick out of walls. [1] I wouldn't touch them with a 10 pole feet.

[1] https://www.theguardian.com/artanddesign/shortcuts/2015/mar/...

Great opportunity to remind people: never ever plug an unknown USB device in your computer. Even USB-C chargers can infect your machine as outlined here: https://twitter.com/_MG_/status/949684949614907395

How is the regular guy supposed to figure out if a USB device is OK or not? I guess the easy answer is to say "Don't use an unknown device" but I don't think this is practical especially in the case of a charger.

It's like the constant battle with our IT department to get and keep admin privileges on our machines. Yes, this can cause a problem but we need admin rights to do our job.

> How is the regular guy supposed to figure out if a USB device is OK or not?

If you are not absolutely sure it's OK, then it's not. Pack your own chargers, use a "USB condom" or a power-only cable. If the charger has a cable that can't be removed, use it to charge a trusted battery, then charge your phone from it. Don't trust any smart battery, BTW.

Journalist covering summits like this are not regular guys and should receive opsec training before any such assignment.

When working on the Brazilian electronic ballot, I had two computers: one that was connected to the corporate network where I could read and write e-mails, and another I could manage (so I could run Visual Studio's debugger), that was on a completely different network, in front and behind some of the most aggressive firewalls I've ever seen.

Why can't it infect (the microcontroller on) the battery, and then infect your device later?

There are dumb batteries that only use the power connections. Those can't be infected.

Ostensibly you're using that aforementioned power-only cable from battery -> device.

But then you can just skip the battery anyways...

If the untrusted charger has a USB socket, then yes. If you have an untrusted charger with non-detachable cable, then no.

Make “USB Condoms” that only have the power pins, no data. Educate users to see if these no-data devices have data pins.

Within the context of USB Power Delivery , it needs more than simple power and ground to actually work. While it’s theoretically possible to make such a device that would determine which device is the source and sink, determine voltages and charge rates, then smartly select one and begin charging without the devices directly communicating, no such off-the-shelf device currently exists as far as I’m aware. You basically want a USB PD firewall that would only allow commands relevant to changing through, or have it generate synthetic responses that would e.g. never allow it to expose things like a mass storage interface. You might also need drivers depending on how you implement it. It would be a cool project / crowdsupply / Kickstarter though.

More info: http://www.usb.org/developers/powerdelivery/

Right now, USB-C is only just starting to get past the “which cables will physically harm my device with a given charger even though they plug in correctly” phase.

In the case of a charger, you must always use a charge-stop adapter if you’re charging from a public charger. They’re cheap and a couple offer bulk discounts to companies.

Now thinking about it, if you made a malicious USB charging block that looks like the iPhone‘s and offered it to me, id probably fall for it.

You can always learn how to make a UBB power-only cable out of a regular one.

Recommendations for a USB-C compatible one? USB-C significantly complicates a simple idea, unfortunately.

Which aspect of USB-C do you require to remain unaffected in transit?

"How is the regular guy supposed to figure out if a USB device is OK or not? I guess the easy answer is to say "Don't use an unknown device" but I don't think this is practical especially in the case of a charger."

I use a "USB Condom". My current USB Condom is this one:


In fact, I sometimes even use it with my own, trusted, devices. For instance, I don't want my macbook itunes to know about my iphone so when I charge from my own laptop, I use the "condom".

I'm sure these exist for USB-C...

Makes me wonder why manufacturers don't have a USB permission scheme like they have for apps. It would be nice to give a USB device only certain permissions like charging.

The USB device itself tells the machine what its "unique" identifier is. If you use it for permissions, then it could just lie.

Anything software based would still be vulnerable. The only surefire way is to disconnect the pins, as these USB condoms do.

It must be hardware based. Like the USB bus can negotiate with your system and then upgrade the connection if the device passes.

Of course this would require cryptography to do properly so it'll never, ever happen.

USB still involves software, and the code that runs the USB interface is invisible to the host computer. You have no way to verify that the cable or USB condom is not hosting malicious code.

I mean if the USB host device itself has specialized USB hardware that can lock the ports in power only until they're fully enabled by the OS, then you'd be in a better position.

Either that or a tiny switch beside each port to enable/disable the neutering feature.

Because anything software is hackable by definition

iOS does as of iOS 12. You have to verify every USB data connection before data is shared.

Hey, I'm sorry to hijack this. Is there a way to contact you about rsync.net? Support hasn't replied for a week, Twitter seems unmonitored - don't know any other way but this right here.

AFAIK they don’t exist for USB-C PD since it’s quite a bit more complicated than previous protocols (switchable source / sink, variable voltage

How do you know you can trust the "USB Condom"?

And another dongle.

One easy answer is to give people an "appliance"/task-specific computer instead of a general purpose computer. So the computer is essentially just a hypervisor that loads the appropriate appliance which only allows them to do specific tasks - one for banking, one for email, one for writing documents, one for browsing, one for gaming, etc.

>Even USB-C chargers can infect your machine

Why would anyone assume otherwise?

People assume cables are dumb metal connections, nothing more. It doesn't help anyone to be condescending about op-sec.

Power/charging cables in particular.

After all, when was the last time your power drill caught a virus from your extension cord?

Outside of this audience, it's rather common[0]. It's not something that people, outside of these communities, harp on all that much. But even take things we do harp on, like not reusing passwords, are still things that the majority of people do[1].

I worked in various security positions at one of the US's biggest ISPs and routinely brought these sorts of things up to family members. I am embarrassed by the kinds of practices my family employs. The excuses vary but most of them fall along the lines of the same excuses smokers give when asked about lung cancer risks: "It Won't Happen to Me(tm)".

Even within our industry, bad practices exist all over the place. An example I often point to is Code Signing certificates[2] -- I went through the trouble of generating a CSR offline using a Linux live CD, backed up the private key to an encrypted thumb drive and placed the result on a Yubikey to protect it when I need to sign something. The best part was sorting out how to actually give the CSR to the CA I used to purchase the key from. They offer all kinds of convenient, (IE and Firefox-only) in-browser mechanisms which result in generating the key online in a potentially already-compromised machine, but I ended up having to go through several steps using phone support to get my CSR to the CA. The way they did things encourages people to not think about protecting the private key; simply leaving it on an unencrypted volume with (likely) no other encryption used to protect the key.

[0] https://thenextweb.com/insider/2011/06/28/us-govt-plant-usb-... And these are specifically the kinds of people that should expect to be targets of an attack like this.

[1] https://digitalguardian.com/blog/uncovering-password-habits-...

[2] I mention this kind of certificate because its credentials are such that an individual or company is named -- it's meant to identify a person or a legal entity, not a domain name -- and things signed with it result in that legal entity or person's legal name being displayed on launch in operating systems like Windows. It's something that you really wouldn't want to have fall into the wrong hands lest your name end up being prominently displayed prior to the installation of malware.

Not everyone is an opsec expert

Indeed - and an opsec expert needs to have a clue about human nature, anyway.

Ok, but why would you assume that USB-C is somehow more secure than USB-B?

My guess would be that many USB-C products are charging cables, dongles, and other items that the average user would not associate with having the capability to store data making them inherently "safe" in their eyes. USB-A, on the other hand, is commonly associated with storing data, and the majority of user awareness and education about the danger of unknown devices is focused on flash drives. For these reasons I can see how someone without technical experience may believe that flash drives specifically are potentially dangerous, while believing that other USB-A/USB-C cables/adapters/chargers are safe. In my experience most users don't even know what USB-B is

Because they are chargers. My 2015 Macbook charger is not vulnerable, my 2016 Macbook charger could be. It's not reasonable to assume that end users intuitively get that.

I'm a web developer and I had no idea ¯\_(ツ)_/¯

We assume that bridges won't collapse, planes won't fall out of the sky. Engineers are supposed to build things that are safe to use. That's a reasonable expectation.

You're more naive than the people you're referring to.

Easily solved with a USB Condom:



Edit - note, this isn't properly secure! Please screen your devices properly and consult your organisation's security team/local tinfoil hat wearer, or educate yourself about side-channel attacks, monitoring, and the history of surveillance devices.

I mean not necessarily, although it stops data access to your computer you're still powering a device close to your computer which could have sniffer/camera/microphone

Very true! There's also potential side-channel attacks regarding noise in the power supply (example: https://arxiv.org/pdf/1801.00932.pdf), so it's definitely not a guarantee of safety.

Best to open it up for inspection, then destroy it. There's not a lot of room inside the body, by the looks of it, but there could still be plenty of fun stuff hidden in there anyway.

Thinking logically though: due to the public nature of the release, it might actually just be a fan..

The journalist in question appears genuinely happy with the fan, and reacts incredulously to suggestions it might contain malware...

The chances of it containing malware are very slim, and it would be easy to find out if they are malicious, with nothing more than a screwdriver.

That's more a South Korean thing and this particular summit is between the US and the North. Even in the South that myth is on the wane so I doubt it has much relevance here.

I'm guessing that's why it was labeled "additional context" and not "This concept is totally a centrally-important and causal factor here."

It's the equivalent of posting a Wiki article on a random Israeli superstition as "additional context" for a summit between the US and the Palestinian Authority.

If South & North Koreans were as ethnically, culturally and religiously distinct as Arabs & Jews that example would be more apt.

It's not like this is some ancient tradition you'd expect them to share. The fan death urban legend first arose in the last century, just shortly before the countries were divided. They've been separate (and relatively isolated) for most of the time the myth was spreading in South Korea. I don't know what North Koreans think on the subject, but I wouldn't take it for granted that the urban legend is relevant context here.

Neither would I; nor would I take it for granted that it's so emphatically irrelevant, as some have done here. I would in fact, simply take it as "additional context."

The malware this USB device installs had better be called "Fan Death."

It's probably not malicious.

That's not to say it's definitely not malicious, and I certainly wouldn't be plugging it into my phone. But it is Singapore, where it is hot, so I do understand the rational of giving fans to the journos.

I suspect that the person in charge of the decision didn't consider the fact that USB fans are a possible attack vector.

I think that some readers here have been reading too much Frederick Forsyth or Tom Clancy, with these ideas about baiting and switching and bribing hotel employees.

Wow. I really want to see someone dig into these in a secure environment.

All they need to do is open it up and take a look inside. There should just be a USB port and a pair of wires, maybe a pair of resistors. If there's anything else, this is a Trojan Horse. You can probably open this up with a butter knife, maybe a small pair of pliers to open up the USB connector.

A reasonable security assessment of this device could be done in two minutes. It would take longer to take pictures of the disassembly and post the pics on twitter.

I imagine if this really is an attack the attacker would expect these devices to be subject to scrutiny - perhaps the first set of fans released to journalists are safe, but as the summit goes on and the initial reports cleared them then just bribe hotel staffers to surreptitiously replace them with Trojan Horse devices. Or have just a small subset of devices as THs and hope the ones that get opened up are the safe ones.

They're might only be one intended target.

This is just what I was thinking. Make it highly targeted to a few people, and swap it out at two points. Swap it for the hot unit mid-summit, then swap back for a normal unit at the end. If they’re really lucky this could become a normal or expected thing, and be useful as a vector in the future.

In that case, couldn't the attacker just attach bugs to journos' computers or other electronics instead?

Can you disguise other components to look like resistors?

I'm not going to say 'no', but I would highly doubt it.

If you're wondering what the 'state of the art' in disguising components to look like other components is, this [1] is probably the best example. It's a guy that turned a LED into an LED and an inductor, and put transistors inside of switches.

What you're proposing -- basically putting a USB-capable microcontroller inside something that looks like resistor -- isn't impossible. I can imagine that it could be done, but I would have no idea how. You would probably go with a very small (physically) microcontroller, maybe one of the SOT-23-6 PIC or AVR packages. I don't think it's possible to write a USB stack for those, and you only have 1-2kB to implement a BadUSB [2] sort of thing. It might be possible, but I doubt it. Still, that size of package could be disguised as a (large) SMD resistor, although the PCB would look odd with the addition of extra traces.

To be honest, it really wouldn't make sense to disguise a microcontroller as passive components. It's already been demonstrated journalists will gladly plug random USB devices into their computer. If you wanted the device to just pass a cursory investigation, you'd just put a glob of black epoxy over the USB port. Hiding a microcontroller as a pair of resistors might be possible, but it's far more effort than what is really needed.

[1] https://www.youtube.com/watch?&v=RkTvDjhImwo

[2] https://opensource.srlabs.de/projects/badusb

Who exactly is handing these out? I could be a trojan horse, but I'd be interested who's trojan it actually is.

Sometimes a USB fan is just a USB fan.

True. Take the data pins out in this case and it should be ok.

Can't it still contain a concealed microphone built into it that would record voice and transfer it over radio?

There's a gap between "can" and "should"

As a targeted attack it makes sense. Still you would have to muffle the sound of the fan.

The number of people who will receive one of these who know that there are data pins in USB or which pins are the data pins would be exceedingly small.

Plus, there does not need to be a data connection for the powering of these devices to present a security issue. It could just need power to run a microphone or GPS.

oooh free microphone/GPS

True, although that doesn't seem like a particularly safe attitude for journalists reporting on US/NK relations.

Someone should get it, investigate and post results

Is there any kind of serial dongle that way to filter out on necessary comm circuits and simply provide power, they say just a pass-through to block the data portion of USB

they're called usb condoms

I'd love to get one of these to play with.

How generous!

Who handed these out? And what are the odds that any free USB device contains malware or spyware of some sort?

Yeah, my first thought as well, I hope no journalist working with sensitive information just plugs the thing in.

Do journalist even have sensitive information anymore? It seems like the new thing to do is write an article and find a "source" later.

The thing you are describing isn’t a journalist.

Maybe they all have Alexa in listen-only mode.

How nice.

free usb device? only Trump admin would be dumb enough to fall for this. Imagine one of these back it to AirForce1 or God forbid the White House. Fucking idiots.

The USB trojan connects back to the command and control server and waits to be instructed to spray VX nerve gas into the fan. A refreshing cool breeze of remote death.

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact