Teardown Of USB Fan Reveals Journalists’ Lack Of Opsec

Last month, Singapore hosted a summit between the leaders of North Korea and the United States. Accredited journalists invited to the event were given a press kit containing a bottle of water, various paper goods, and a fan that plugs into a USB port.

Understandably, the computer security crowd on Twitter had a great laugh. You shouldn’t plug random USB devices into a computer, especially if you’re a journalist, especially if you’re in a foreign country, and especially if you’re reporting on the highest profile international summit in recent memory. Doing so is just foolhardy.

This is not a story about a USB fan, the teardown thereof, or of spy agencies around the world hacking journalists’ computers. This a story of the need for higher awareness on what we plug into our computers. In this case nothing came of it — the majority of USB devices are merely that and nothing more. One of the fans was recently torn down (PDF) and the data lines are not even connected. (I’ll dive into that later on in this article). But the anecdote provides an opportunity to talk about USB security and how the compulsion to plug every USB device into a computer should be interrupted by a few seconds of thoughtfulness first.

What Can Go Wrong By Plugging Random Devices Into Your Computer

The best example of why you shouldn’t plug a random USB device into your computer is Stuxnet. This worm, discovered in 2010, was specifically designed to compromise Iranian nuclear centrifuges, and had the effect of destroying one-fifth of Iran’s Uranium enrichment capability, and infected hundreds of thousands of computers.

Although it’s been about ten years since the Stuxnet worm was deployed, it remains the most impressive cyber weapon of all time. Stuxnet used four 0-day exploits to specifically target the programmable logic controllers of nuclear centrifuges, gradually increasing and decreasing the operating speed, until one thousand of these machines were destroyed. Whoever wrote Stuxnet — the current best guess is a collaboration between US and Israeli intelligence agencies — had deep knowledge of Windows exploits and the Siemens programmable logic controller software found on these centrifuges. While Stuxnet was quite sophisticated, it was initially deployed using decidedly low-tech means.

Stuxnet first found its way into Iranian nuclear facilities through a USB thumb drive. The exact details are not known, but all signs point to someone plugging an untrusted device into a computer without considering the ramifications.

USB Exploits: The Usual Suspects

So just what does an attack with a random USB device look like? Several different approaches have popped up over the years and they’re all rather fascinating.

The best, and easiest, way to get into a computer with a USB device is with a keystroke injection attack. This is best accomplished with a USB Rubber Ducky, a small device that looks like a USB thumb drive. Instead of storage, the USB Rubber Ducky contains a microcontroller that emulates a normal USB keyboard and will send keystroke payloads to a computer automatically. For example, if you’re on a Windows computer, typing Alt+F4 will close your current window. If you program a USB Rubber Ducky to emit the ‘Alt-F4’ keyboard combination when it’s plugged in, the USB Rubber Ducky will close the currently focused window.

These exploits can be expanded. Programming the USB Rubber Ducky with a more sophisticated script could change a computer’s hosts file. Whenever a user types in google.com into their browser’s address bar, the computer would pull up goggle.com. Software payloads could be downloaded through the command line, installing keyloggers. Passwords can be stolen in a matter of seconds with a keystroke injection attack.

This class of attacks falls under the banner of BadUSB attacks, something first discussed in 2014. It’s not just a USB Rubber Ducky, either: normal thumb drives can be reprogrammed to perform keystroke injection attacks, and a one dollar microcontroller can be programmed to perform the same attack.

Concerning implementation, the only necessary components for this attack would be a small microcontroller and a handful of passive components. This microcontroller would connect to the computer over the D+ and D- lines found in every USB port. Given a (physically) small enough microcontroller, a USB spy device could look identical to a USB-powered fan. The only way to tell the difference is to take it apart and look at the circuit board.

TURNIPSCHOOL, a device that becomes a wireless USB keyboard. Source: Michael Ossmann

In addition to a USB ducky, an attack via USB device could take the form of COTTONMOUTH, a device created by the NSA and leaked to the world through the NSA ANT Catalog in 2013. TURNIPSCHOOL is a ‘clone’ of COTTONMOUTH developed by Great Scott Gadgets and demonstrated at Shmoocon 2015. This small circuit board that fits inside the plastic plug of a USB device. This small circuit board can become a custom USB device under remote control. Think of it as a wireless USB keyboard.

But USB attacks aren’t limited to turning a USB fan into a USB keyboard. The USBee attack turns the data bus on a USB connector into an antenna, allowing for data exfiltration over radio. If you’re a state-level actor handing out USB devices to journalists and you want some lulz, the USB Killer is a great choice; this will simply fry the USB port (and possibly more) in any computer.

In short, there are dozens of ways a USB device can be harmful. They all have one thing in common, though: they all use microcontrollers, or obviously complex electronics. All of them will have a connection to the D+ and D- or TX and RX lines in a USB port. Knowing this, we can define a threat model of what an attack via a random USB device will look like. We also know how to test that threat: if there’s some measurable resistance between the D+ and D- lines in the USB port (somewhere between a few hundred kiloohms to a few megaohms), there might be something there.

The Results Of The USB Fan’s Analysis

Thanks to a reporter from The Economist, [Sergei Skorobogatov] of Cambridge University analyzed one of the USB fans distributed at the Singapore summit. The first step of the analysis was to probe the D+ and D- lines of the USB port. These connections are how every USB device transmits data to and from a computer. If these lines are disconnected, no data can be transferred to a computer. The first step of the analysis found a resistance above 1 Gigaohm, suggesting they were disconnected from everything else. Since this is a USB-C connector, the TX1 and TX2 data lines were also probed, finding they too were disconnected from everything else.

The USB-C connector and components of the Singapore fan

[Skorobogatov]’s visual inspection of the circuit board revealed VCONN connected to VBUS through a resistor. Two diodes are on the board, probably to reduce the voltage to the electric motor. There was no complex electronic device inside this particular USB fan distributed at the Singapore conference. This device was clean, but that could only be established after careful inspection.

It should be noted that resistance between the D- and D+ lines in a USB port is not evidence of any spyware, malware, or other spy device. Resistors tied to the data lines of a USB port are used for device negotiation of USB chargers. If the designers of this USB fan wanted to draw more than 500 mA from a USB port (unlikely, but let’s just roll with it), they would have to install resistors on the data lines. Therefore, a complete analysis of any USB must include a visual inspection of the circuit board.

Why This Matters

The journalist who started this whole mess by posting the image of the USB fan drive on Twitter is extremely capable and competent. As a war correspondent he faced great peril in Egypt in 2011 and during the Libyan civil war to name just two of his reporting assignments. Simply by virtue of living through those experiences, this journalist knows something about physical security. But computer security is more abstract and the same instincts are harder to apply.

The real story here is that accomplished journalists would be grateful for a random USB device given to them by a foreign government. There is every indication this journalist actually plugged this USB fan into his computer. But even if he went the safe route and opted to use a USB battery or a cable with data lines disconnected to protect against malware, I’m sure others didn’t take precautions. Out of 2500 journalists at the Singapore summit, some unquestionably plugged this threat into their computer.

There is a massive, massive gulf of understanding between otherwise competent professionals and the most basic tenets of computer security. So spread the word when you have the chance: Don’t give your passwords to people. Don’t reuse passwords. And don’t plug random USB devices into your computer.

109 thoughts on “Teardown Of USB Fan Reveals Journalists’ Lack Of Opsec

        1. only if its “collegial” aka CSB lol
          (as in having to do with a college instead of a university)

          ps the word in brackets is a bastardisation of a word in french for a very different meaning than intended here. the punch line here is that this real meaning of the word roughly means friendly, cordial, i think.

          1. This is my favorite comment ever. A short, simple joke, followed by a lengthy and exhaustive explanation, which totally ruins the joke. My favorite kind of humor. I look forward to stumbling upon more of your comments.

  1. Morning Brian.

    There’s still a psychological element to this phenomenon, and not just a RNG in-brain deciding “to plug in, or not to plug in, that’s the question”. Course that’ll necessitate an expenditure of taxpayer dollars to fund a study.

    1. What is the psychological element behind “I do not currently have the means to verify this device, so clearly I should not plug it in”? This is not any harder than “don’t eat food that you pick up off the ground”.

      1. To give you a tease of creativity; For the food off the ground, a psychological element could be the famous 5 second rule, certainly when it’s a desirable piece of food and 3 bystanders are drooling for it.
        For the USB fan, a psychological element could be experiencing a lot of heat and not having showered. “Oh boy I don’t want to be the smelly guy again, like they used to bully me in highschool, better plug in this USB fan in my shitty laptop I got from a shitty employer doing this shitty job. This day sucks, I want to go home.”

        These are very plausible ‘psychological elements’ and not hard to conceive.
        Is this the reply you were aiming for? Did you know that even nazi officers in labour camps were late for their shifts sometimes with lousy excuses.

      2. These fans weren’t lying unwrapped on the ground. They were packaged in commercially sealed plastic bags, labeled with “Made for Android” or “Made for iPhone” (as they had the appropriately shaped port) and were distributed to the members of the press in the bag containing their press information packet. Everything seemed very normal for the circumstances.

        To relate it to something most of us are more familiar with, the experience would be no different than receiving a “swag bag” at a typical conference registration booth, and eating the granola bar and drinking from the water bottle found inside. You don’t think twice about the food safety aspects because everything about the experience seems normal. Of course the conference organizers could have laced the food with rohypnol, but do you really consider that when you open the bag? Do you give it to someone else in fear of it being tampered with? Do you run a sample of the snack through a spectrometer looking for toxins? Or do you just drink the water because the travel made you thirsty?

        Worse, imagine going to DEFCON and spotting a badge lying on the floor in the hallway. It has a footprint on it and bent pins, and it obviously fell off someone’s lanyard, was trampled and kicked to the side. Are you going to pick it up? Of course – free badge! Are you going to connect it to your laptop to charge it up, and maybe see what’s on it, and how it can be hacked? It’s DEFCON – home of the world’s most hostile network. You don’t even have to think about the potential for danger, you should simply assume it’s there. Yet you know someone is going to plug it in at some point, because nobody can resist the allure of a badge!

        1. First, you distribute “clean” USB devices, which will be examined by an expert, who will give the all-clear. Then, your “clean” device will be secretly replaced by a bugged one which looks exactly the same. So I say, round them all up and crush them under your heel.

  2. A common situation is USB drives being handed out at conferences with the conference proceedings, schedule, etc on it. Is there a way to safely access that information when not trusting the USB device?

    1. For power you could use a simple pass-through cable with the power lines connected (usb-condom?).
      For data, the only thing I could find is this: https://www.circl.lu/projects/CIRCLean/
      Other approaches are possible, of course. You could, for instance, add a microcontroller to validate and relay the USB Mass Storage protocol. Something like the PIC32 (http://www.microchip.com/DevelopmentTools/ProductDetails/PartNo/dm320003-3). That would be fun and challenging project (hint!)

          1. So we can all agree that doing this wouldn’t prove that the suspect device is clean. However, it WOULD allow you to safely access data stored on the device.

          2. there was a security alert on this back in 2010 or 2009, where military stop allowing use of thumb drives and portable drives because of hidden partitions with spyware and malware being put in at factory level. the devise would copy hard drive and then burst transmit over net. personally if you want to be best spy have device with a timer that acts as open till set amount of time plugged in and then accesses data lines or even better put a micro phone and wifi into it and instant bug/listening device. it would not show on a bug sweep till you plugged it in and would prob be mistaken for the comp you plugged it into. the list is endless. and with micro pin hole cameras you can even add video

    2. If I understood correctly, USB Rubber Ducky presents itself as an input device, and our computers are quick to accept standard input devices (keyboards, mice) without giving it a second thought.

      I would make a dummy program which accepts keyboard input and does nothing but echo hex code of received characters to the stdout, captures any signals (such as Ctrl-C) and prevents the signals from terminating the program.

      Prior to inserting the suspicious device, I’d run the program from maximized window (or virtual console on Linux), to prevent false “mouse” escaping from it, and see if there is a hail of hex digits on the screen after I insert the device in USB socket.

      If nothing is printed out, then device is not a rubber ducky (unless it activates at random times later on). Kill the detection program from another console and proceed.

      Of course there are other possible attacks, e.g. the USB storage can contain data files tailored to attack vulnerabilities in various programs reading them, but that is not specific to USB as such.

    3. Don’t use your computer or use an old netbook you don’t care about.
      Most conferences are at a big hotel that has a business center with computers you can use or a helpful concierge / front desk that will print things out for you.

      1. This is the best solution, just use sacrificial computer, maybe with some USB sniffing/analysis software to observe the exact protocol exchange. However conferences usually cost money and are organized by known and sometimes even respected corporations – why would they mess with USB pendrives and risk a massive media poopstorm?

        1. So you’re confident that the people running the conference are careful to maintain high security at all times, and that there is no possibility that a hostile third party could infiltrate the devices.

        2. Anyone that posts here should have many “Sacrificial” laptops on the shelf. I’m off to Japan in a bit, still trying to decide which laptop I don’t mind losing. The HP 13″ thin client loaded with 500 SSD and Win 7 Pro 64 bit? Or the HP 11″ combo tablet/laptop with Windows 10 Pro, and 256 SSD..
          Purchased correctly, the loss is minimal..The highest price I normally pay is <$200..

    4. USB devices are essentially all trusted. I think the short answer is “no”.

      Long answer, where you can get a “maybe”: plug it into a VM and observe what it does until you’re convinced that it does no harm, or buy (expensive?) USB monitoring gear and pore through everything it does. You’re still exposed to the situation where it simply waits a few hours (or days) to do its badness.

      That said, you’re trusting the device every time you plug anything USB into your system. Do you know what firmware is inside your USB mouse/keyboard/webcam? Of course you don’t.

      Dropping loaded pendrives is a lot easier for smaller players than inserting malware into manufactured devices, but the latter is not out of the realm of possibility for state actors. On topic here, these fans look like _I_ could have gotten then made.

      Anyway… free pendrives are the low-hanging fruit that got Adam and Eve kicked out of Eden. Don’t bite on them.

    5. I keep an ancient iMac around for this reason. OS9, hasn’t been connected to internet for oh about 10 years, Airport card doesn’t support WPA2 my router uses. Still has USB port. I plug it in, if anything happens I’ll have a $25 blue and white doorstop.

      Haven’t found dangerous stuff and did get a dozen or so free USB drives that really is just for memory storage and nothing sinister.

    6. How isolated is USB passthrough in a VM host like VirtualBox? I keep a handful of VMs ready for running programs I don’t trust. I suppose I could do the same for USB devices.

  3. But when handing out compromised devices, would you hand EVERY journo a compromised device or only a targeted few? Just because THIS particular fan doesn’t contain anything doesn’t mean any or all of the other ones didn’t

      1. Not paranoid enough.

        This guy who posted about his, initiating the teardown, works for the NSA (“former military”). He’s submitting himself to Twitter ridicule to convince the journalists with the bugged devices to plug them in, maybe b/c they hadn’t so far.

        (No, I don’t really think this. But you have to admit, it makes a good story.)

  4. If the designers of this USB fan wanted to draw more than 500 mA from a USB port (unlikely, but let’s just roll with it), they would have to install resistors on the data lines.

    With USB Type-C, higher currents can also be negotiated by measuring the voltage on the CC line, between the pull-down in the fan (Incorrectly said to be on the VCONN pin in the article and its source, albeit they are interchangeable mechanically: VCONN is used for powering the cable, CC is for configuration between the host and device. Also, looking at the image, the resistor is clearly between CC and GND, not CC and VBUS.) and a pull-up in the power source. A voltage between 0.25 V and 0.61 V indicates default USB current, between 0.70 V and 1.16 V indicates 1.5 A, and between 1.31 V and 2.04 V indicates 3.0 A. Simpler than USB BC 1.2, and allows higher currents.

    1. Good point, that’s exactly what you’d expect from NK technology, half modern half old fashioned.
      And that it seems to be full of putty seems also very convenient to hide stuff.

        1. They already hacked their laptop while it was in transit from the shop.
          And I’m not even joking, it’s been shown to happen that the FBI/CIA/whatever intercepts stuff and alters it then sends it on as if it came from the shop.

    1. indeed there are 15 pin packages like WLCSP15 which are 4 mm × 4 mm. And even a 5 bump package WLCSP5 which is a tiny 0.96 mm × 1.34 mm. 32-bit ARM cores are available in these packages now, with NXP KL0x: Kinetis being an example of the WLCSP15 package.

      A USB micro-B has a 6.85 mm × 1.8 mm with an overmold up to 10.6 mm × 8.5 mm, which can hold the above mentioned device. The traditional full size type-A connectors are even easier to discreetly pack electronics into.

      1. I’ve got a bag full of AVRs in SOT-6, you can’t tell them from a modern dual transistor or op-amp if you scrape the silkscreen off.

        Conveniently, they can run a software USB stack without any external components other than ones a normal USB interface IC would have.

    1. The latest generation of laptops from Dell and Apple have USB-C ports. These two companies probably have 90+% of the corporate laptop market between them. it’s a safe bet that journalists who are flown around the world by their employers, are also carrying new gear. So perhaps it would be unusual to find a foreign journalist who is not carrying a USB-C capable laptop.

        1. I’m not a journalist, though I sometimes play one on the Internet, but I’m looking to replace my Thinkpad R400 with the same (or a T400).
          It stopped charging its battery shortly after upgrading the HDD to 1TB and DRAM to 8 GB (sigh!)

    2. i blame my 4790k for being such a good processor i havent needed to upgrade in years. meanwhile usbc and m.2 have come into being and are everywhere, and i cant use them without adapters. its sad.

      1. There’s your best attack vector then, right there:

        – Give everybody a free USB fan.
        – Have a small stall in front of the building selling mobile phone accessories, including rigged USB-A to USB-C adapters.

  5. What I find surprising is that there are no computers with charging port’s (as in no data lines) at the front and some kind of locking plate over all the connectors at the back.
    This sounds like something large companies would pay for.

    I know of a company that has all their computers in a cabinet so the user can only access the front.
    They open up every new computer and snip the data lines on the front panel connector next to the mobo.
    No security problems anymore, people can plug in their 3.5 headset, and they can charge their phone.

      1. I’m guessing that kind of “company” (isn’t the CIA A.K.A “The Company”?) doesn’t worry about computer resale, they’re too busy removing and destroying any components that may store info or burn-ins.

    1. No security problems, but no warranty and no maintenance contract after that modification. Why not just get your local sheet metal contractor to make a nice heavy steel box and put the computers inside?

      1. Then you would be passing the security onto a physical lock…as a hackaday reader, you should be well aware that apart the really expensive ones, physical locks are a very poor security solution :P

    2. Obviously you are talking about desktop computers, not laptops wj´which are carried around. But this makes the computer unusable. I often need to use USB drives to transfer data from measuring devices to the PC or use a FTDI cable or similar to connect to a prototype device. So I could not do my work with such a castrate.

      1. We briefly had a stupid “only approved software” policy at my previous company. Which was fine, I explained, except that the company was paying us to write software, which we now couldn’t run. IT quickly reversed that policy.

    3. Some of the enterprise-grade models have a BIOS/UEFI setting that can either disable or limit USB port functionality…
      You don’t need to butcher hardware at all, this can usually be done by software.
      You can also prevent the system from installing drivers for unwanted devices.

  6. Take a USB cord with a fairly large male A end and cut it off about 8″ or so long. Fray the end of the cut wire nicely. Carefully cut the rubber boot at the end of it along both sides and open it up like a clam. Remove the metal shield and pull out any other parts that were there, etc.

    Take a small thumbdrive and carefully extract the circuit board and put it into the end of this USB cable that you took apart and then glue it back together (I wish I had pictures of the one I’d done but I’m pretty sure folks here can see where this is going.)

    So now you have a USB cable cut off short with dangling wire ends, etc and a thumb drive hidden inside. Tell the victim “You may have heard of people who lose an arm or a leg and how they get phantom pains and feel like the and or foot is still there? Well, I had a USB hard drive that the cord had gotten cut off of and apparently the USB connector thinks the drive is still there. Watch what happens when I plug this left over cord into a computer.”

    Of course here, you don’t want it logging keystrokes, etc. All you want it to do is act like the ghostly phantom hard-drive^H^H^H^H^H^H^H^H^H^H^Hthumb drive that it is.

    1. Or just leave it a normal length USB cable and prank some people in storing data on your external drive, which is not plugged in or pretend it to be a wireless USB “cable” :-)

    1. How about cell phone chargers? Anyone ever find one of those with mysteriously connected data lines, aside from the usual resistor to detect max charge rate?

      I know that’s what the dataless usb “condom” cables are for, but a lot of chargers I’ve bought came with cables which were fully functional.

      1. I once got a Bluetooth speaker and the charger cable supplied with it lacks the data lines – but looks like a normal black 1m USB cable. This can be quite annoying when you grab it accidentally.

  7. In the Stuxnet worm case the Iranians didn’t just trust an USB flash drive but an entire closed source operating system written by an American corporation which could be well in bed with its government. The flash drive could have contained two kittens photos, a Johnny Cash mp3 and a pizza recipe and the machine firmware could have been triggered anyway into doing something after detecting their presence. Trusting the OS from their enemy was their first and worst error.

    1. Siemens is German, not American. The PIDs controlling the centrifuges were from Siemens.

      I found the Stuxnet worm, before it was given a name, on a PC in a test bench that came in to my facility from Malaysia. The only reason I found it is because I always use the Eject feature in Windows before removing a USB drive, and it told me the device was busy. That’s not too abnormal, I tried to eject again, and again the device is busy. Kill all active programs that were accessing the drive, restart Explorer, still busy. Force remove the drive, take it to an off-network scanning PC, find unknown stuff on my drive. Clean it, reinsert, open no programs, repeat of the above. I usually clean trojans manually quite successfully, this defied my attempts so I just wiped the hard drive clean, reflashed the BIOS, and succeeded in disinfecting the PC. Put the binaries I found in a safe wrapper, submitted it to my IT who forwarded it to Kaspersy, and a couple weeks later the announcement was made.

  8. USB as a protocol is actually rather poorly implemented to start with.
    PCI (and PCIe) isn’t any better.

    Both of these protocols fail on the same thing, they have too much access and are trusted on both a hardware and software level.

    A broken PCIe USB hub can stop a computer from even booting, and that is silly since the PCIe standard shouldn’t allow for anything to stop the computer from normal operation.

    And a random new USB keyboard/mouse is trusted as if it were supposed to be there.

    The USB killer that literally EMPs the USB port is though a harder thing to protect against, so we shouldn’t fall to the nirvana fallacy.

    But when plugging in a USB device, it should never be trusted. Yes, if there is only one device stating to be a USB keyboard, then okay, we can trust that (unless the computer has another keyboard/touchscreen, like on a laptop). Since without that it would be rather hard to get the computer up and running to start with.

    Next, we just need to look at what the device wants to do, like is it a thumb drive, or an input device, or a network interface? Maybe it is a printer. But regardless, it shouldn’t get access to anything of this without the users explicit discretion. (It is never wrong to ask.)

    In the end though, we can’t protect against everything, but to not blindly trust any USB device that is plugged in would be a great improvement when it comes to security. (So lets not dwell on the Nirvana fallacy since no security solution is flawless.)

    One could also set up a security standard that sends a key to the device that it can send back to the computer to not need to be re-validated by the user each and every time. (This key would likely be 128-512 bit or something and uniquely generated and stored on both the computer and the device.)

      1. The Nirvana fallacy is actually to complain that an improvement isn’t worth implementing for the sole reason that is isn’t perfect.

        A rough example could be that a firewall extends the time it takes for a fire to spread from one room to another, yet it doesn’t actually stop the fire, and therefore some see it as an unnecessary cost since it doesn’t completely stop the spread of the fire.

        Just like a software firewall doesn’t stop people from sneaking into one’s computer. (unless one blocks all network ports, but then that network connection is fairly unusable. (And even then, there might still be security holes in the network card/driver/chipset/etc. (And then we can pile on the list of conspiracy theories and we start to see how silly the Nirvana fallacy can get…)))

        Few solutions are perfect, and some people like to point out fairly unrealistic scenarios to get certain flaws or just out right say that it isn’t perfect.

        Or just say, “but people could still fool the user into executing that .EXE file on the thumb drive regardless of how much warnings you give them.”

    1. When a USB device is plugged in the hardware detects its presence and goes through a series of handshaking to determine what type of hardware protocol it supports. The hardware then sends a packet to the OS. If the OS doesn’t do anything the device doesn’t do anything. If the OS instead installs (or activates) the relevant software stack on one side and then send configuration packets to the device (with extra handshaking to determine what type(s) of devices it represent and what configuration is wanted) then the OS can do something with it.

      Thunderbolt is or more correctly was a larger security problem as it provided a protocol designed for internal expansion to external hot-plug devices. Mostly fixed by configuration not allowing arbitrary memory access for devices and the addition of IOMMU hardware that can limit accesses for any hardware device.

      USB isn’t perfect but 99% of all security problems is on the software OS side of things.

    1. The cheapest fans are all brushless; it would be more expensive to make it brushed! They’re generally single phase, too; and at the low power levels they use, the control scheme is very very simple.

      That said, the concern isn’t bugs, the concern is that the USB subsystem is often not well protected, and it is often possible to compromise the IC that handles USB. This can be used to either to break into the OS, or just to read data off of USB drives that are plugged in; some of that data is on a USB drive instead of the HDD because it is sensitive!

      But also, using a high-noise fan would increase the ease by which one might exfiltrate the data without anybody noticing! More noise = more signal

  9. Am I the only person who assumes that it is intended to be plugged into a phone charger, not a laptop?

    A laptop is basically the only type of computer made where the USB ports might comply with the 500mA limit, so you’re not even going to get very good performance out of it.

    I challenge somebody who disagrees to find out how much air flow the fan manufacturer claims it puts out, and then measure to see how much current it takes to get there at 5V. (I’ll throw my guess into the hat at 1.1A, and that’s without knowing what their claims are)

    That said, journalists may attempt opsec, but still, they have no secrets when traveling overseas, and all their devices are compromised before and again after they leave home. If they don’t believe that, then they don’t even have an attempt at opsec, because people who are experts are attempting to get their data, and they’re not even experts. Plus those experts have nation-states backing them. So yeah; you want opsec to minimize it, but you’re perpetually p0wned by definition if your name is in the press pool.

  10. what about the motor driver? if the motor is brushless it will need a 3 phase driver that could be a source of malware.

    couldnt the data pins on the usb be cut so it cant connect to the computer?

    1. The motor isn’t connected to the data signals so…

      But in theory it could be possible to do an attack by hiding embedded data signal wires in the power wires going to the motor.

  11. All these comments about the nefarious purpose for providing these fans! it is usually above 30C/86F in Singapore, pretty much every day and many nights, and the humidity is often very high. It was simply to provide some relief for people not accustomed to that climate. I always bring two shirts per day to cope.

  12. “The first step of the analysis was to probe the D+ and D- lines of the USB port. These connections are how every USB device transmits data to and from a computer. If these lines are disconnected, no data can be transferred to a computer. ”

    A smart device could connect the data lines only now and then via eg. an opto-coupler or even a mechanical relay. Then you can go and measure the resistance and everything looks fine, but then perhaps after an hour or so, it will connect the data lines and do its black magic for a while and disconnect again.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.