Hacker News new | comments | ask | show | jobs | submit login
Analysis of USB fan given to journalists at North Korea-Singapore Summit [pdf] (cam.ac.uk)
163 points by danso 6 months ago | hide | past | web | favorite | 84 comments

”VCONN pin is connected to VBUS via a resistor. There are also diodes on the board”

A truly paranoid analyst would check that these things that look like a resistor or diode actually are resistors and diodes. That may not be easy, as they could contain a tiny cpu and a few bits of flash memory that change the behavior from “resistor” to something else after x power ups or, using an on-board real-time clock, at a given date, or that run in parallel to the resistor or diode. A simple RFID chip already could be somewhat of use to spies.

Even simpler, that “resistor” could contain a tiny microphone and a radio transmitter (getting reasonable audio quality and reasonable radio range likely would be a challenge, but that’s what big budgets are for).

I used to think things like these were fun conspiracy theories for a slow afternoon. I remember seeing a guy who got Linux running on a spare ARM CPU on his SATA hard drive, thinking "that'd be a great place for a rootkit".

But didn't think much further of it as that can be a dark rabbithole to go down. Then Snowden leaks came out, and it turned out technology was an active, hostile and full scale warzone.

These are not unreasonable thoughts to have now. Even if you prove one of these fans is safe, it does not prove that an individual has not been targeted with a fan with a payload.

Also, don't discount the entire circuit being the bug. https://en.wikipedia.org/wiki/The_Thing_%28listening_device%...

Exactly. That's a fantastic tactic. Give out a thousand fans and have only 9 or 10 of them be compromised. A safe fan gets torn down by security researchers and declared vanilla, and those 9 or 10 targets believe their fans are safe to use.

Or even just fake the analysis outright. North Korea having someone at Cambridge, or at least being able to feed them a benign variant via an unnamed journalist, is not out of the question.

We can probably rule this out since the paper doesn’t conclude that North Korea is #1 and Bless Dear Leader

The workers' effort of dismantling the fan promoted the mass line consciousness and building of a vigorous cadre feeling in the whole army.

Yes. This is obvious but also counterintuitive. People forget that it's a long game and that malware (such as Stuxnet) is patient and penetrates gradually.

I ordered some 2 pin RGB LEDs a few years back. They change color over time via some built in IC, but the crazy thing is that the IC is so small that you can't even see it. And it all fits nicely within a standard LED. I would imagine someone could even fit a similar IC within the traces of a circuit board and nobody would be able to tell.

All of the puzzles Henryk Gasperowicz makes are this sort of thing. They're fun to try to figure out even if you know the basic idea, as they're pretty much all analog circuits. EG: https://www.youtube.com/watch?v=WvXKSSmItls

Ha-ha... damn, this is so cool! Thanks for the pointer.

Does he ever explain how the tricks work?

He posts full schematics on his google+ page - https://plus.google.com/+HenrykGasperowicz

Here is the schematic for the 3LEDs & 0 switches video liked by GP - https://plus.google.com/photos/116398424278304767741/album/5...

I don't understand the electronics, but the logic is hidden inside the 9 volt battery connector.

The bit inside the 9 volt connector isn't really logic. The flip-flops and Schmitt trigger gates are just to generate square waves at 3 different frequencies. There's also a small power supply to drop the 9V down to 6.2V for the input of that, some comparators, and a bit of filtering.

The LEDs contain LC filters, tuned such that they'll light (visibly) when the appropriate frequency is applied. Touching the wire in different places creates a different parasitic load, which is detected by one of the comparators. That comparator then toggles the clock generator for the appropriate frequency, turning that LED off or on.

As with all of his circuits it's a brilliantly simple idea implemented in a ridiculously constrained space.

What I like is how it breaks down the model that most people had. Models simplify, but they also constrain and we need to always be cognizant of where the model stops.

Some people over train in model-space and are unable to make thoughts that occur outside of that universe.

This video of "Inside the RFID Stickers from a Chinese Cashier-less Store" (around 9:20 and again at 12:20) was a real eye-opener to me: https://www.youtube.com/watch?v=0QKrHi-G9WQ

If you're a government operation trying to bug an electronic device, chances are you're certainly not going to have your bug revealed by a simple teardown like this. I've heard rumors of certain cases where current fluctuations in the VBUS rail caused by certain peripherals can be used to compromise the USB controller. Additionally, embedded components can be placed between PCB layers, making it essentially appear "invisible" without using an x-ray system.

There _was_ a government operation like this recently:

"Russia spied on foreign powers at last month’s G20 summit by giving delegations USB pen drives capable of downloading sensitive information from laptops" - https://www.telegraph.co.uk/news/worldnews/europe/russia/104...

And these are simple to do, see BadUSB and Rubber Ducky

> These are not unreasonable thoughts to have now

They weren't really unreasonable thoughts to have back then, they may have just seemed unreasonable.

You're absolutely right that it would be almost impossible to detect a malicious device in one of those components. But a few things come to mind:

1. If you're that paranoid, don't plug stuff in to your USB ports EVER.

2. If you're going to put a malicious device in this thing, connecting it to VConn isn't a good idea - since you'd have to be hoping that whatever you've plugged into is insecure at a hardware level in quite a specific way that there's no evidence of.

3. There seem to be easier ways to hack visitors to singapore - like getting physical access to their laptop.

> 3. There seem to be easier ways to hack visitors to singapore - like getting physical access to their laptop.

In the US, it's as easy as Customs giving you a choice: 1) sit in a room indefinitely or 2) let them take your device into another room for an hour or so. Definitely a case of this: https://www.xkcd.com/538/

I've zero intention of ever visiting the US (partially because of shit they pull like your post) however if for some (incredibly unlikely) reason it's absolutely unavoidable I'll not be taking any electronics with me at all or taking something cheap and cleanslate that will be binned when I get back - essentially I treat the US as having the same threat model to visitors as China - well done whoever thought up those policies.

> 1. If you're that paranoid, don't plug stuff in to your USB ports EVER.

If you''re that paranoid then is any consumer hardware safe these days? Almost undetectable hardware could be slipped into to just about any device and they're mostly manufactured in a country hostile to personal freedom or countries under their influence.

The future is probably riscv style open hardware but that will need to be combined with local fabrication facilities.

> The future is probably riscv style open hardware but that will need to be combined with local fabrication facilities.

The big question is whether RISC-V is open enough for such purposes.

Is this satire? Did you see the size of the resistors on that thing in fig 5?

But a resistor or doide only have two connectors. How could one possibly hide a tiny CPU or RFID chip inside with only those connectors? Two connectors would be the minimum to just power the chip up.

See https://en.wikipedia.org/wiki/1-Wire

"One distinctive feature of the bus is the possibility of using only two wires: data and ground. To accomplish this, 1-Wire devices include an 800 pF capacitor to store charge and power the device during periods when the data line is active."

You can buy devices that put an entire JVM inside a two-terminal component, of similar physical size.

How about we go full meta and suspect the linked PDF is the malicious payload vector?

That would be an awesome attack.

Supply journalists with harmless USB devices. Then pass around a fully weaponised PDF.

For the those that think malware in PDF's are history, here's a link to 2 zero days found just this march.


I'm glad someone is going full Hari Seldon on this.

It's not necessarily science fiction.

No need to. Sergei Skorobogatov is actually a secret North Korean agent, the pictures and report are a lie and the fans are indeed infected.

One of those times I should have read the comments first. Thanks.

The going theory at the time was that they only bugged some percent of them in the hopes that someone would publish an analysis exactly like this and then everyone else would plug them in freely.

The idea that somebody has been waiting around to plug in a $0.50 fan until a security researcher did a tear down is absolutly absurd.

They weren't waiting around, but the idea is that they would just hear it through the rumor mill and then decide, "oh hey I guess I can plug this in".

Having done security for many years, especially user security, I can say with certainty that some people are this dumb.

I'm surprised they didn't disassemble the fan proper- while it's not useful as a USB spy device, if we're going to go full paranoia, those lines could still be powering something in the fan chassis itself.

Did you look at the picture? The lines are not connected at all.

You could fit an entire array of mics, sensors and radios inside the fan that are powered by the USB port. No need to connect to the laptop to record and broadcast info.

Pretty unlikely though.

To me, it looked like the plastic molding was oversized for the circuitry inside, which makes me think there may be variants of these fans. This was the `NOP` variant while perhaps others have `malware drop`, `GPS beacon`, `audio capture` or some other capabilities added inside the same chassis with maximum ease.

Of course all of this is entirely speculative. Maybe this design was cheaper to produce or simply shown to be sturdier compared to a smaller alternative.

It could even be that they had an earlier circuitry design that was slightly larger and then they realized it could be simplified but at that point that had ordered the chassis.

Not really. There was a microphone inside a gift that was in the oval office given by the Soviets, which broadcasted info for many years. They called it "the thing".

And the microphone was just the diaphragm that a microwave beam was bounced off of. The device itself was entirely passive.

What if there are chips and wires inside PCB?

That was my thought as well - No visible connection on the surface of a PCB does not prove there is no connection on a pin, only that there is no connection on the surface.

Multilayer PCBs are commonplace, and a stealthy version which does not show the layers at the edge of the board and encapsulates ICs is not a stretch.

All that said I agree with the sentiment in other posts here that this attack vector is so obvious that the likelihood is higher that this is simple trolling. Then again, that kind of 'discovery' trolling also provides signals intelligence, of a kind, in observing the reactions to it.

they dont need to be connected. you could have an airgapped circuit with power fed from the rotation of the fan itself.

I'm referring to the ones that provide power to the fan, not the data lines.

Nice, an analysis from the future :)

Jokes aside. My guess would be that it is highly unlikely a half decent secret service would use such a method to spread a virus or a trojan. On the other hand, I would also guess that no serious journalist will contemplate using a free device provided by a rogue nation just in case.

> On the other hand, I would also guess that no serious journalist will contemplate using a free device provided by a rogue nation just in case.

I disagree. While tech-minded journalists may be aware of the risks of untrusted USB devices, the same cannot be expected of everyone; even if they know that USB drives are potentially dangerous (already a crapshoot, even in some tech-related jobs), people unfamiliar with computers may not realize that the same risks apply to all USB-powered devices.

Last-Modified header: Tue, 03 Jul 2018 12:39:05 GMT

It's possible he put the date on which he plans to more formally publish or present it.

ha! I didn’t catch that until you pointed that out. I wonder why is it dated July 27, 2018... maybe the report is still a work in progress?

There's a lot of hysteria surrounding these freebie swag items, enough that you have to wonder if either exactly this sort of reaction was expected, and their laughing at exactly the expected level of fear and paranoia produced at the mere sight of a USB jack... or... they could only but roll their eyes, as they dropped a USB device into the mix out of curiosity to see if there would be any reaction at all, expecting possibly a muted, cool brush off, unconcerned about exploits, and instead caught ten or one hundred times the wave of hysteria, for something they might have internally estimated would be rated as being perceived as a mild security hazard.

Seriously, this has all the alarmist fear mongering of the Cuban embassy sonic weapon mystery, but none of the smoking gun who-dunnit clues.

People are going to be chasing their tails on this one, wondering if the fan rotors spin at resonating speeds to give off infra-sonic beam-forming geolocation signals, and that's after they sample scrapings from 1000 different components in a gas chromatograph mass spectrometer only to find that they were some standard chinese USB components, purchased in bulk orders months ago, but had arrived too late for Olympics swag and were basically left-overs.

It's funny, but I think the volume of this knee-jerk reaction caused more damage than an actual attack could have.

If North Korea was going to try and swindle it's way onto targeted USB interfaces, I'd have to imagine that they'd attempt a level of indirection (at least one), and launder the swag through a secondary shell entity, like some shady third-world press corps gadfly to the event.

If they hadn't thought of that before (even though I'm sure they already do think that way), this hair-on-fire reaction has certainly taught them to do so, unconditionally, going forward.

Before clicking the link I took a moment to think about how I’d design such a device for nefarious purposes, hoping that the author ought to be able to defeat whatever a mere hobbyist could come up with.

It would appear I’d make a better spy than the author would make a security analyst.

Penn Jilette has given interviews on what mindset is needed to trick people. One basic rule is that people will gravely underestimate the lengths he is willing to go to in order to trick the audience.

I’m not saying this is a spying device. I am merely pointing out that the author shed no light on whether it is.

For your entertainment: https://youtu.be/WvXKSSmItls

Your comment doesn’t explain how you tricked the analyst so I downvoted you.

Perhaps the bug can only be activated by an external source, e.g. Theremin's bug :


The moving fan motor could act a simple microphone.

A malicious chip inside the USB-C connector with pass through power to the fan seems reasonable.

This. There's plenty of space to overmold a chip embedded in the USB-C connector itself, and such a device would naturally open-circuit the data pins when powered off (defeating the multimeter test).

This "analysis" is so superficial that I thought it was a joke at first. At the very least the device should be completely disassembled and/or X-rayed.

These usb cables with data switches need to become more commonplace. https://www.adafruit.com/product/3438

That only helps if the spy equipment needs more than power from the USB port. It doesn't need a data connection if it's picking up RF noise from the laptop and audio from people to transmit to nearby agents.

It was done in the '80s with much less advanced technology: http://www.cryptomuseum.com/covert/bugs/selectric/

Surprised to see USB-C connector. Has it gone mainstream all the way in place of Type-A?

Not yet, but we're going there.

Just for the sake of curiosity, wouldn't it be possible to embed some sort of self-contained microdevice inside the motor? A USB "rubber-ducky" type device is kind of expected, piggybacking something else off the USB would be kind of interesting. Cheap throwaways like this wouldn't make sense target-wise, but it's fun to think about.

That is the reason you have an X-ray to vet electronics before allowing them into secure areas (with potentially secret sound and generic em-waves (from 200nm to 300000km aka 300Mm)). If you don't have that already, you don't have that much physical security...

Would the magnets in the motor interfere significantly with radio transmissions? Not that it would preclude devices being housed inside either way, just introduce complications.

You can surely have a big case around a small motor (either smaller radius or smaller length) and fill the rest with components

Even if not the motor, they could likely fit some components in the USB jack itself, before it reaches the pins/board

Just curious why would a nation secret service organisation spy on journalists? They are not delegates of the summit.

Journalists have sources that the spy organization would very much like to learn the name of. If you're going to come down hard on leaking, bugging journalists or compromising their phones is the most logical thing to do. The reporter that gave up the fan for analysis was absolutely right to be paranoid here.

They may want to know who is leaking the sensitive information to the journalists

They potentially have contact with dissidents and leakers.

Each device emits a specific RF signature when turned on. Nothing more. The Red Team then knows which journalists are susceptible to these kinds of attacks and will use this information later.

The meme of infected usb sticks in the parking lot is so old and known by everybody and their grandma, that only a prankster would really do it, with a parody screensaver virus.

A serious secret service would use more up to date methods.

Take something super banal (a mobile fan), give it a blindingly obvious hacker-y feature (USB connectivity), and distribute them among visitors from an adversarial country (the U.S.), and you're going to be hard-pressed to find someone who isn't at least the tiniest bit suspicious, This is so entirely Spy Device 101 that the payload is likely just entertainment for DPRK officials– watching everyone stress out and tear it apart looking for something malicious. And that, in and of itself, is pretty damn twisted.

I'm not sure I would call it twisted - it's humorous to watch, but not particularly malicious, and if there are truly no devices in any of the fans it could even be construed as a gesture of good faith.

I, for one, appreciate the show.

Why are there so many people assuming this was a malicious actor?

It was most likely some organiser just organising swag for the conference, who didn't think about the implications because they weren't aware of them.

Never attribute to malice that which is adequately explained by stupidity (well, ignorance in this case).

Why would the North Koreans go through the trouble of buying a bunch of fans on Aliexpress just to make some security people freak out?

Or they could continue using the attacks that work.

You have much higher faith in humanity than I do.

Like rogue USB-charging ports in airplanes?

Are these documented? I imagine that would have to be snuck in at construction…

Just Google it

What a quick read..

Whoa! That had all the suspense of a Geraldo Rivera special. /s

Flagged because not worthy of the frontpage.

What about inside PCB, motor stator, USB connector, etc. Must be some example of Cambridge on how to NOT to do anything..

Someone should do an analysis of that pdf to see if anything is embedded in that.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact