Don’t plug in USB devices without knowing origins
WHEN journalists arrived in Singapore for the historic summit between President Donald Trump and North Korean leader Kim Jong Un last month, security experts were alarmed by what awaited those who were covering the event.
Inside a welcome bag that included bottled water featuring the faces of Trump and Kim and a guide to the local area was something far more suspicious: a miniature fan that connects to a computer’s USB port.
The discovery prompted a security researcher to disassemble the fan to inspect the USB. Security experts say that people should never use USB devices without knowing where they come from.
Hackers and spies can use them as Trojan horses - devices that seem innocuous but are loaded with malware designed to take control of a target’s computer and steal information. The summit had attracted journalists from all over the world. Since reporters are often in contact with business and government officials and gather non-public information, their personal devices and newsroom networks could be enticing targets.
Experts say USBs are a common way for hackers to gather information or infect devices.
Sergei Skorobogatov, a hardware security researcher at the University of Cambridge, tested one of the fans from the summit. In an analysis of the components, Skorobogatov said he found no malicious software functionality inside the fan. But he was quick to add that people shouldn’t let their guard down when it comes to swag. “However, this does not eliminate the possibility of malicious or Trojan components wired to USB connector in other fans, lamps and other end-user USB devices,” he wrote in the analysis published on his staff website and first reported by ZDNet.
In other words, it’s not a good idea to plug unknown devices into the USB ports of your own devices, Skorobogatov said in an interview with The Washington Post. He added that, as in the case of the fans, just because one USB device in a given group is safe, doesn’t mean the rest of them are.
Jake Williams, founder of the cybersecurity firm Rendition Infosec and a former member of the National Security Agency’s hacking group, was also circumspect about the USB fans. He said that malicious actors could have narrowly targeted one reporter who was of special interest out of 100, meaning that most fans may have appeared harmless even as some might have been used to target specific journalists. —Washington Post.
However, this does not eliminate the possibility of malicious or Trojan components wired to USB connector in other fans, lamps and other end-user USB devices. — Sergei Skorobogatov, a hardware security researcher at the University of Cambridge