BlankMini fan prompts security reminder: Cool it with suspicious computer parts
. Hamza Shaban.
When journalists arrived in Singapore for the historic summit between President
Trump and North Korean leader Kim Jong Un last month, security experts were
alarmed by what awaited those who were covering the event. Inside a welcome bag
that included bottled water featuring the faces of Trump and Kim and a guide to
the area was something far more suspicious: a miniature fan that connects to a
computer's USB port.
The discovery prompted a security researcher to disassemble the fan to inspect
the USB. Security experts say
that people should never use USB devices without knowing where they come from.
Hackers and spies can use them as Trojan horses -- devices that seem innocuous
but are loaded with malware designed to take control of a target's computer and
steal information.
The summit had attracted journalists from all over the world. Since reporters
are often in contact with business and government officials and gather
non-public information, their personal devices and newsroom networks could be
enticing targets.
Experts say USBs are a common way for hackers to gather information or infect
devices. In 2008, Russian agents planted
virus-carrying USB sticks in retail kiosks around NATO headquarters in Kabul to
gain access to a classified Pentagon network, according to the New Yorker. In
2013, Italian newspapers alleged that Russian operatives used USB devices to
try
to spy on world leaders at a Group of 20 summit in St. Petersburg.
Research suggests that average citizens can also become targets. In 2011, the
Department of Homeland Security planted USBs and CDs in government parking lots
to test the security practices (and susceptibility) of employees and
contractors. Sixty percent of people who picked up the items plugged them into
work computers, and if the disks or USBs had an official logo printed on them,
the rate shot up to 90 percent.
In another experiment conducted at the University of Illinois Urbana-Champaign
in 2016, researchers dropped nearly 300 USB sticks on campus and found that
nearly half the time someone would pick them up and plug them into their
computer.
Sergei Skorobogatov, a hardware security researcher at the University of
Cambridge, tested one of the fans from the
summit. In an analysis of the components, Skorobogatov said he found no
malicious software functionality. But he was quick to add that people shouldn't
let their guard down when it comes to swag."
"However, this does not eliminate the possibility of malicious or Trojan
components wired to USB connector
in other fans, lamps and other end-user USB devices," he wrote in the analysis
published on his staff website and first reported by ZDNet. In other words,
it's
not a good idea to plug unknown devices into the USB ports of your own devices,
Skorobogatov said in an interview with The Washington Post. He added that, as
in
the case of the fans, just because one USB device in a given group is safe
doesn't mean the rest of them are."
Jake Williams, founder of the cybersecurity firm Rendition InfoSec and a former
member of the National Security Agency's hacking group, was also circumspect
about the USB fans. He said that malicious actors could have narrowly targeted
one reporter who was of special interest out of 100, meaning that most fans may
have appeared harmless even as some might have been used to target specific
journalists."
The extremely small sample size of one fan makes it hard to draw conclusions,
he
said.
But on the general practice of using hardware given to you by strangers or
found
in public places, he was direct: "It's horrendously bad."