Recently a video surfaced from someone claiming that certain USB-to-Ethernet dongles contained ‘malware’ among other big claims. Basically these dongles were said to be designed by China (and Russia) to spy on users and so on, but how much of this is actually grounded in reality? When [lcamtuf] dove into the topic, what he found was not so much a smoking gun, but rather a curious relic from the era when drivers-on-CD were being phased out.
The item that the video went bananas about was namely an additional SPI Flash chip on the PCB alongside the USB 2.0 – Ethernet IC, with many conspiracy theories being floated as to what it would be used for. After some digging, [lcamtuf] found that the IC used in these dongles (SR9900) is by a company called CoreChips Shenzhen, with a strong suggestions that it is a clone of the (2013-era) Realtek RTL8152B.
Both chips have an external SPI Flash option, which is used with the USB side to present a ‘virtual CD drive’ to the user when the dongle is plugged in. This was borne out with the SR9900 Windows system mass production tool that [lcamtuf] obtained a copy of. Included with the flashing tool is a 168 kB ISO image (containing the SR9900 driver package) which happily fits on the 512 kB Flash chip.
Although it’s always possible for chips and firmware to contain backdoors and malware, in this particular case it would appear to be that it’s merely a cruel reminder that 2013 is now already vanishing into the realm of ‘retro computing’ as us old fogies cling to our driver installation floppies and CDs.
On the other hand, capable people could put things other than drivers on there, although that’s not a lot of room for a rubber ducky, it isn’t nothing
…
https://x.com/atc1441/status/1879487847549505685
Are the Ethernet magnetics/transformers inside that tiny 8p8c socket?
The unpopulated area on the PCB there looks like transformers should go there…
It’s probably an Ethernet jack with integrated magnetics and the unpopulated site is a manufacturing option for regular jacks.
I’ve never seen a jack with integrated magnetics that small before.
Yeah, I was wondering that, it looks like the chip is coupled to the RJ45 socket via those 4 tiny components inside the footprint for the magnetics, the RJ45 itself doesn’t look large enough to have the transformer integrated either, so, if that’s true, that adapter is potentially dangerous for your computer and could, at not muich of a stretch, be pretty dangerous for the operator too
No, they have replaced the transformers with 4 resistors.
You can see the footprint for this transformer and the pads.
This cheap USB-Ethernet adapter have often only around 1Mbit/s. I have pimped one with some additional capacitors, so I get 6Mbit/s. A bit sad if they say it can do 100Mbit/s.
The ‘fake CD drive with drivers’ era was such a terrible time. Especially for devices that, rather than showing up as a composite device, showed up exclusively as a CD drive until the driver was installed and tweaked something to trigger the device to switch over to showing up as whatever it actually is.
Plenty of gear now stuck in the limbo of its primary function still being reasonably widely supported; but the ancient vendor-specific driver that knows how to kick it over from CD drive emulation being a non-starter on remotely modern OSes.
It was a big issue with a lot of the older displaylink-based docking stations. Displaylink-provided generic drivers support more or less all their chipsets on recent windows versions; and on the Linux side the USB 2 stuff is actually more robustly supported because it hadn’t become entangled in video DRM the way the USB 3 chipsets with their HDMI focus are; but good luck getting some ghastly Kensington driver bundle mess working to get the dock to stop pretending to be a CD drive.
The original claim was just bigotry, but the article covers the topic well. The risk is very real, it just doesn’t have much to do with the ethnicity of the “bad guy”.
The name lcamtuf was oddly familiar, if he is to you too it’s probably from his book “Silence on the Wire” (I’m sure he’s written more).
Suspecting a country of espionage which already has an extensive record of espionage isn’t bigotry. Your sense of morality is slavish and prostrated
It could been said the same from the US, Russia, England…
There is a bit more to this. Microsoft disabled autoplay when plugging in a flash drive, as a result of the multiple malware campaigns that used flash drives to spread (Hello Stuxnet), but left it enabled for CDs and DVDs. A quick Google search shows that it can still be enabled for optical disks. So when a USB drive presents itself this way, it is bypassing some security protections. If the autorun is actually fixed, and not malicious, that’s not really a problem.
You could add a USB HID chip that will automatically payback a key sequence on insertion to run the auto run.