Yottabytes: Storage and Disaster Recovery

Jul 23 2018   8:00AM GMT

Korean USB Fans Invite Scrutiny

Sharon Fisher Sharon Fisher Profile: Sharon Fisher


Security experts watched in horror as journalists attending the US – North Korea summit in Singapore in June were handed gift bags containing adorable little USB fans. Plug them into your laptop and they would help keep you cool.

They could also, if you’ve read this blog for any length of time, steal all the laptop’s data, reprogram all the other USB devices on it, destroy it, or set it on fire.

USB fans in and of themselves are nothing new; there are pages and pages of the things available online. But eek! These were from North Korea! They could be booby-trapped!

Journalists who posted pictures of their swag on Twitter were warned by security researchers that for Gawdsakes don’t use the things, noting that Russia had used USB devices for espionage.

“Aiieee! Journalists – Do. Not. Plug. This. In.” warned one Tweet.

It would be only poetic justice if North Korea did, since people have been “attacking” North Korea with USB drives, loaded with shows such as Desperate Housewives, The Mentalist and soap operas, films like Bad Boys, The Interview, and action films, and a Korean-language Wikipedia – all intended to foment dissent using popular culture,  using little balloons to take them across the border.

None of the tested fans have revealed any malware thus far. “This particular sample of USB fan does not have any computer functionality on USB interface,” noted one UK analysis, which dissected one of the little fans. “It can only be used for driving the motor from USB power.”

“No data transmission of any sort was observed,” noted another report by the Celsus Advisory Group, a security consulting firm. “The resistance of the device went up some over time, but this appeared to be connected to the rising temperature of the device rather than something nefarious. The device seemed to be free of implants.”

But officials are still worried. Perhaps some of the USB fans are indeed booby-trapped, and the innocent ones are decoys intended to let our guard down. Perhaps the malware is simply too well hidden. Celsus went on to describe some of the possibilities. “There is a motor…which if built to ‘custom spec’ might oscillate at a specific frequency providing a specific electronic signature when operating. This could be used to profile the target, or perhaps something even more interesting.“

And there’s more. “Imagine a factory installed battery that is designed to track keystrokes and user activity (phone, email, chat) by baselining and tracking power flow to the unit,” Celsus writes. “Each character and action creates a power spike! There’s even an easy way to exfil the data since most mobiles are internet connected 24/7. Pwn the phone without touching the OS/Baseband. Cool right? It’s been done.”

And more. “Envision a 3d printed WiFi connected plastic object, and metamaterial printed antenna utilizing local WiFi RF backscatter to provide power and to connect to the internet,” Celsus writes. “Imagine creating a heatmap of a room or a vehicle using the reflected WiFi signals and exfiltrating the WiFi hologram outbound, all without a battery.”

(Incidentally, if you like this sort of thing, Black Hat is going on in Las Vegas next week; the even more nerdy Defcon occurs a couple of weeks later.)

Singapore’s Ministry of Communications and Information, which the BBC reported had put together the gift bags, was affronted that anyone would think anything nefarious of them. “The USB fans were part of Sentosa Development Corporation’s (SDC) ready stock of collaterals, originally meant for Sentosa Islander members,” the organization told the BBC. “SDC had assessed USB fans to be a handy and thoughtful gift for the media, who would be working in Singapore’s tropical climate. MCI and SDC have confirmed that the USB fans are simple devices with no storage or processing capabilities.”

The manufacturer also weighed in, saying they didn’t have any ability to make such a device..

Of course, that’s what they’d want you to think.

All in all, the fact that no sabotage had taken place in the examined USB fans was in itself a ominous development, researchers write. “This does not eliminate the possibility of malicious or Trojan components wired to USB connector in other fans, lamps and other end-user USB devices,” the UK report continued. “Hence, their evaluation will be essential before any sensitive usage.”

“Maybe the person who received the package wasn’t a targeted POI,” Celsus noted. “Maybe the system in question requires being tickled in a specific way to elicit an illicit behavior. Or perhaps none of the fans were dual purpose in nature; eg fan AND surveillance implant. This is a difficult problem to address without reviewing ALL the potentially poisoned pills.”

“Malicious actors could have narrowly targeted one reporter who was of special interest out of 100, meaning that most fans may have appeared harmless even as some might have been used to target specific journalists,” warned Hamza Shaban in the Washington Post. (Which, no doubt, was put out that it wasn’t considered important enough to target in this way.)

In other words, you would need to dissect each fan individually to make sure it was safe – at which point, of course, it would no longer work. Some 2500 journalists were accredited to cover the conference, so we’re talking about a lotta fans.

Apparently it is necessary to destroy the fan in order to save it.

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • a1r9i5
    Apparently it is necessary to destroy fan in order to save it
    2,620 pointsBadges:
  • hamidra
    yeah man! 
    it's a valuable information. thanks for sharing
    10 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: