Recently a video surfaced from someone claiming that certain USB-to-Ethernet dongles contained ‘malware’ among other big claims. Basically these dongles were said to be designed by China (and Russia) to spy on users and so on, but how much of this is actually grounded in reality? When [lcamtuf] dove into the topic, what he found was not so much a smoking gun, but rather a curious relic from the era when drivers-on-CD were being phased out.
The item that the video went bananas about was namely an additional SPI Flash chip on the PCB alongside the USB 2.0 – Ethernet IC, with many conspiracy theories being floated as to what it would be used for. After some digging, [lcamtuf] found that the IC used in these dongles (SR9900) is by a company called CoreChips Shenzhen, with a strong suggestions that it is a clone of the (2013-era) Realtek RTL8152B.
Both chips have an external SPI Flash option, which is used with the USB side to present a ‘virtual CD drive’ to the user when the dongle is plugged in. This was borne out with the SR9900 Windows system mass production tool that [lcamtuf] obtained a copy of. Included with the flashing tool is a 168 kB ISO image (containing the SR9900 driver package) which happily fits on the 512 kB Flash chip.
Although it’s always possible for chips and firmware to contain backdoors and malware, in this particular case it would appear to be that it’s merely a cruel reminder that 2013 is now already vanishing into the realm of ‘retro computing’ as us old fogies cling to our driver installation floppies and CDs.
On the other hand, capable people could put things other than drivers on there, although that’s not a lot of room for a rubber ducky, it isn’t nothing
…
https://x.com/atc1441/status/1879487847549505685
The amount of interesting punch you could get seems like it depends on how much of the USB behavior is reprogrammable vs. ROM.
If you can only change the contents of the ISO that’s certainly not nothing; but autorun.inf is mostly not honored anymore and malware the user has to click on isn’t terribly exciting.
If the implementation of the USB CD drive is modifiable; and you can adjust it to be other sorts of USB devices, then there’s room to make a nuisance of yourself in more interesting ways.
Since the SPI flash is optional at least some of the USB behavior must live over on the main chip(whether everything but the ISO or just the USB NIC and enough to read the virtual CD device implementation off the SPI chip isn’t clear); and I’m not sure whether that is flash or if it’s mask ROM in a device like this.
I’d be shocked if a moment was spared on resisting tampering through anything but obscurity; so if flash was cheaper you can almost certainly change it; but if mask and just enough OTP for the MAC was cheaper they presumably went for that.
Hey, malware ofter require multiple clicks, even explicit installation. It’s not about how, it’s about making user sure that they wouldn’t any wrong.
Imagine how dumb an average user is and you’ll know that most of them are even dumber
Sure. That’s how keyboards work
I’m afraid there are malware no need to be clicked on… And payload can execute it self…
Are the Ethernet magnetics/transformers inside that tiny 8p8c socket?
The unpopulated area on the PCB there looks like transformers should go there…
It’s probably an Ethernet jack with integrated magnetics and the unpopulated site is a manufacturing option for regular jacks.
I’ve never seen a jack with integrated magnetics that small before.
I once tried to abuse an ethernet jack for “normal” signalling, it didn’t work and only then I discovered there are tiny transformers there and what ethernet magnetics are. It was this small.
You can see the small capacitors used to AC-couple the signals in lieu of magnetics. This can be done in some circumstances for low-speed or short-distance applications instead of using a transformer.
Yeah, I was wondering that, it looks like the chip is coupled to the RJ45 socket via those 4 tiny components inside the footprint for the magnetics, the RJ45 itself doesn’t look large enough to have the transformer integrated either, so, if that’s true, that adapter is potentially dangerous for your computer and could, at not muich of a stretch, be pretty dangerous for the operator too
No, they have replaced the transformers with 4 resistors.
You can see the footprint for this transformer and the pads.
This cheap USB-Ethernet adapter have often only around 1Mbit/s. I have pimped one with some additional capacitors, so I get 6Mbit/s. A bit sad if they say it can do 100Mbit/s.
They are most likely capacitors. You can meet the dc isolation requirements with them but the performance characteristics are typically much worse over long distances. Over short distances you might be ok. But yes, a cheap low performance device as you said.
No, they have used 4 resistors with the marking “000” on them, typical black surface, this are 0 Ohm resistors. i can send you a picture if you want.
Not Resistors, you can see capacitors in the RX / TX diff pair lines. This can be done, search “Ethernet Capacitive Coupling”; you’ll find some app notes about it.
100nF capacitors replace the magnetic transformers. As another commenter noted, you can get away with it over short distances and applications which don’t need the “full” galvanic isolation.
I’ve done it myself when I have 2 or more ethernet devices on a single PCB coupled by an on-PCB switch in order to save myself the size and weight of two sets of transformers.
The ‘fake CD drive with drivers’ era was such a terrible time. Especially for devices that, rather than showing up as a composite device, showed up exclusively as a CD drive until the driver was installed and tweaked something to trigger the device to switch over to showing up as whatever it actually is.
Plenty of gear now stuck in the limbo of its primary function still being reasonably widely supported; but the ancient vendor-specific driver that knows how to kick it over from CD drive emulation being a non-starter on remotely modern OSes.
It was a big issue with a lot of the older displaylink-based docking stations. Displaylink-provided generic drivers support more or less all their chipsets on recent windows versions; and on the Linux side the USB 2 stuff is actually more robustly supported because it hadn’t become entangled in video DRM the way the USB 3 chipsets with their HDMI focus are; but good luck getting some ghastly Kensington driver bundle mess working to get the dock to stop pretending to be a CD drive.
The “fake CD” era is still with us. Plenty of USB dongles still do it, I bought a WiFi dongle that did this not long ago.
I’d prefer it didn’t, but there ya go.
It means it should not be Win8+ compatible. While it’s possible Microsoft claimed that the option is virtually unsupported.
If it works on Win10, that’s just OS secretly slapped generic drivers for USB WiFi NIC. No vendor-specific features, just what is written in USB3 specs.
I read earlier somewhere that issuing an OS eject command on the CD drive, make the device trigger its internal switch and show up as the real device. There is a GitHub for this somewhere. Also this is how the actual driver for those devices also seem to work – the eject the fake drive when detected
The original claim was just bigotry, but the article covers the topic well. The risk is very real, it just doesn’t have much to do with the ethnicity of the “bad guy”.
The name lcamtuf was oddly familiar, if he is to you too it’s probably from his book “Silence on the Wire” (I’m sure he’s written more).
Suspecting a country of espionage which already has an extensive record of espionage isn’t bigotry. Your sense of morality is slavish and prostrated
It could been said the same from the US, Russia, England…
Partly for historical reasons, China takes a very different approach to espionage than do western nations such as the US, UK, etc.
Think back 30 years or so. China, trying to go from a developing nation to a modern nation, was very interested in gaining technology from Intel, Microsoft, Boeing, Cisco, AMD, etc etc. The US had an interest in China’s military plans in the region; they had no reason spy on Chinese rice farmers.
What grew from that is China has a habit or culture of broad espionage of Westerners. If you work for any technology company, China has at least a small team focused on that company – you’re a target. They don’t NEED to do that as much as they used to, perhaps, but they haven’t dismantled their espionage apparatus – they’re still doing it. And more so since almost all SpaceX employees are using Chinese-built routers, phones, etc.
The US focuses on spying on the military and closely related elements of potentially hostile nations. 99.9% of Chinese citizens are not targets of US surveillance. One much argue that the US should spy on foreign countries more, that they should be like China. But they aren’t, at the present time.
“One much argue that the US should spy on foreign countries more, that they should be like China. But they aren’t, at the present time.”
Probably because the PRC has the US politicians who fund espionage or the bureaucrats that implement it are influenced by $$.
Heck, China is often times spying on thier own private citizens abroad. China also barely bothers to participate in international intellectual property laws, especially when ignoring such laws and agreements benefits them. That leads to those of us in the west having less trust in Chinese products.
“The US focuses on spying on the military and closely related elements of potentially hostile nations. 99.9% of Chinese citizens are not targets of US surveillance”
“U.S. spied on Merkel and other Europeans through Danish cables – broadcaster DR
By Reuters
May 31, 2021”
You live in CNNland and don’t even know it
“Heck, China is often times spying on thier own private citizens abroad…That leads to those of us in the west having less trust in Chinese products.”
”The billionaire CEO of Facebook, Mark Zuckerberg, criticised US government surveillance in a Facebook post on Thursday, saying it was a “threat” to the internet – and revealed he had called Barack Obama personally to air his concerns.
Zuckerberg made his remarks a day after the The Intercept website reported that the NSA has been using automated systems to spread malware over the internet, sometimes using ‘fake’ Facebook servers.”
I bet you believe Intel’s IME and AMD’s PSP have nothing to do with NSA and will save us all from communist hell
what a normal thing to say
But that’s every country!
Exactly this. Whitewashing Russians is part of the disinformation these days. Sigh 😑.
#slavaukraini #standforukraine 🇺🇸🇪🇺 ❤️ 🇺🇦
There is a bit more to this. Microsoft disabled autoplay when plugging in a flash drive, as a result of the multiple malware campaigns that used flash drives to spread (Hello Stuxnet), but left it enabled for CDs and DVDs. A quick Google search shows that it can still be enabled for optical disks. So when a USB drive presents itself this way, it is bypassing some security protections. If the autorun is actually fixed, and not malicious, that’s not really a problem.
You could add a USB HID chip that will automatically payback a key sequence on insertion to run the auto run.
Smart ☝️
No need chip, just firmware. If Arduino can do that, why not anything else ..
Many of these will work as normal USB NICs if you desolder that SPI chip. I bought a few to use with a Linux PBX a while back and they would only show as CD/disk devices in the OS. Pulling the chip caused them to present as the actual ethernet controller.
Interesting!
I helped out a family friend install a USB to HDMI dongle that clearly had this exact same type of tech inside. When first plugged into a system that couldn’t immediately recognize it as an HDMI adapter, it would show up as a drive with drivers to install. It was a fairly small package under 512KB in size that probably fit on an SPI flash like the one shown.
If you swapped in a 2MB spi flash you could add tomsrtbt to it and make this thing bootable.
Thank you for sharing this. The original sensationalists thread was commented on by lots of RE/VR professionals only for the author of it to try and downplay their assessments. Ridiculous hysteria.
And yes, the threat is real (for pretty muchbANY device), but as one of the comments even said: people should look at the Mini-PCs and routers coming out of China, those are more likely to have suspicious “features” (and have regularly been shown to have weird “diagnostic overrides”). This is not me saying they’re infested with malware, but it’s worth looking into.
People should be wary of sensational media especially on Twitter/X.
“Ridiculous hysteria.”
Oh, but how boring our lives and Hackaday would be without it!
B^)
I got surprisingly negative feedback when I said it was a red flag that the security researcher called this a USB to rj-45 adapter. I would expect anyone competent to call this a USB NIC or USB ethernet adapter. Am I just getting old?
Lcamtuf is pretty well know in the scene, but not because of his merit and skill (as expected from a security researcher), but from being a wikipedian, narcissist and attention lady of the night.
Useful network driver is 168KB, completely borked Aliensare Command Center to control ARGB is 1.1GB. I’m dead. (MSI does the same. I’m switching to Jingyue motherboard, it at least uses OpenRGB, 5heir own release, but hey)
I see no big issue with this.
Most of these USB devices are from Windows 98SE/Me era when AutoRun was still enabled.
But beginning with the Windows XP days, autorun.inf was nolonger being processed without asking.
Also, it’s good that these USB devices have their vintage drivers included.
Hunting them down in the wild is not easy anymore.
Many of those devices nolonger have a manufacturer’s website that hosts the appropriate device drivers.
Ans downloading from other places..
Is that more trustworthy than using the drivers that are built into the device itself?
I mean, what kind of logic is that?
Assuming that the built-in drivers are unsafe, but that the same drivers from the manufacturer website are safe?!
They can both contain malware, I think, so one is as good as the other.
The only people who can’t care less about virtual CDs are the Linux freaks.
They have no binary compatibility anyway, so old drivers are no use to them.
They need source code, rather. Source code that has grown so large and convoluted over the years that an elephant can hide in it.
“I mean, what kind of logic is that?”
The same logic of a microsoftie who believes a communist elephant is hiding in Linux kernel but all Windows drivers are trustworthy
Tired and sick of those people who live in a black and white world: US = good, not US = bad. If you are so afraid of using China’s electronics products, go ahead and buy own country’ electronics products… wait a second… no options? ok go ahead and start manufacturing!… wait a second…
About spionage, if your country is not doing it, well, something is wrong.
Something is wrong with good behavior?
That’s the problem of Europeans pontificating to other Europeans
msm reports on what THEIR malware is doing to the US.
msm does not report what US software is doing to THEM?
Or what the US software has done to THEM.
Examples of US software used against THEM search links:
1 rigging the game spy sting
2 Shapour Baktiar and Soroush Katibeh murder convictions.
3 La Belle discothèque bombing Libya responsibility identification.
[Ronald Reagan is most hated traitor by NSA , poster told my NSA employee]
nsa, crypto AG and the Iraq-Iran conflict
https://www.hermetic.ch/crypto/kalliste/speccoll.htm
The threat of a Chinese backdoor chip strikes me as mostly political, at least the way it is presented, or what was found here. I mean you would not want to leave something easy to find in a mass produced product, that is just bad craftsmanship. Anything that shows up as a delta on a microscope or something that was obviously added it just lame.
History shows these things where always more subtle and clever. Hidden weakness in an algorithm. Things that activate when subjected to microwave transmissions, that is from the 50’s (right?).
I think you’d have to muck with a chip design in a way that is much more subtle. I’m not a hardware guy, but maybe you can nudge some traces around in such a way that a certain combination of signals, when timed right, produce a bit flip, like rowhammer. Then your spook software guys build a backdoor around that.
So many backdoor are down to incompetence that I feel its a good cover for when it’s done maliciously.
It’s no coincidence that even obscure default passwords are shared across multiple vendors that have on paper nothing to do with each others.
Its either:
Reuse of passwords as lazy employees change Employer.
That every programmer did the same course and parroted the answers.
State mandated.
Reminds me of many moons ago. I got a work laptop without an ethernet port. I went to a local store and bought a USB to Ethernet adapter. Old one but I thought, at least it would work. I had to to use Windows and Windows didn’t have the right driver for it build in. The driver was on a CD so that wasn’t an option. I downloaded the driver from the manufacturer website and McAfee went nuts. Turned out that the driver had a botnet included. Since we had contracts with McAfee, we send the driver to them and they verified it actually contained a virus and wasn’t a false positive. It was a Chinese manufacturer I never heard of. I can’t remember the name as it was about 15 years ago but it was some random company just like you see on Amazon/Aliexpress/etc that had only a handful of products. Major western manufacturers have done similar though so I don’t blame them.
Obfuscating programming languages costing too much in training and maintenance?
Transparent portable gcc c which has ability to write machine code in high-level c is more cost effective?