World

USB fans given out at the Trump-Kim summit have worried experts. Here’s why

22Views

It seems harmless enough, plugging in a free USB-powered fan on a hot day.

But when it surfaced on Twitter yesterday that the item was included in a press pack handed out during the US-North Korea summit, it immediately drew concerns from some cyber experts about the potential for hidden malware.

External Link: A free USB fan for journalists covering talks in Singapore, how cool! (Because its impossible for USB devices to spread malware or exfiltrate data, right?)

One of those experts included author and journalist Barton Gellman who advised journalists to "drop it in a public trash can" after spotting Dutch journalist Harald Doornbos's picture of the device on Twitter.

External Link: So, um, summit journalists. Do not plug this in. Do not keep it. Drop it in a public trash can or send it to your friendly neighbourhood security researcher. Call any computer science department and donate it for a class exercise. Id be glad to take one off your hands, btw.

So could they actually contain malware?

The likelihood is very high, the director of University of NSW Canberra Cyber Nigel Phair says.

"People trying to infiltrate computer networks often use hidden software on thumb drives where they are given out at a conference or contain promotional material, whatever it might be," he said.

"People studiously go back to their work environment, plug it into their machine and it's the greatest way to bypass a whole lot of security controls."

According to Oliver Knox, chief Washington correspondent for broadcaster SiriusXM, at one summit, "White House aides raced into the filing centre to tell reporters not to use them".

External Link: These have been a staple of international summits for nearly as long as I've covered them. At one summit, WH aides raced into the filing center to tell reporters not to use them.

OK they bypass your security. Then what?

External Link: Media goody bag: Mini USB fan, hand-held fan with #TrumpKim on either side to blow around all the hot air…. and a fun guide to Sentosa. NB: that's not the delegations playing beach volleyball.

There's a couple of things that can happen from there, but Mr Phair says it all depends on what kind of malware it is.

"It might be to download a key-stroke logger onto your device," he said.

"For example the people that go there, to these types of conferences … they have privileged access to computer systems, they have access to documents that are sensitive, something that would be very valuable to an attacker."

Should we be wary of all 'free' USBs or USB-powered devices?

Pretty much. Mr Phair says if you don't where it has come from or if you haven't opened it up directly from a packet, then you should be wary of what might be in it.

"This has been a high-risk issue for quite some time," he said.

As Mr Gellman pointed out in a follow-up to his tweet, the warning about USBs has become "standard security advice".

"I have no reason to think the Singapore government is responsible for every handout, and as I said I don't know what's on those devices. This is standard security advice. No knock on anyone," he tweeted.

How do you check if there's malware on the device?

Mr Phair says the best thing to do if you're unsure is to run it through a commercial virus checker or scanner.

"This will check if there is any known-grade vulnerabilities on it, otherwise it could also have malicious software that has not yet been detected by a virus scanner so you're not going to know regardless," he said.

External Link: Maybe the fan is just a fan. Bad bet, though. I should probably add: if you did plug it in youre human. Malware authors abuse the instinct to trust

Leave a Reply