When journalists arrived in Singapore for the historic summit between President Donald Trump and North Korean leader Kim Jong Un last month, security experts were alarmed by what awaited those who were covering the event. Inside a welcome bag that included bottled water featuring the faces of Trump and Kim and a guide to the local area was something far more suspicious: a miniature fan that connects to a computer’s USB port.
The discovery prompted a security researcher to disassemble the fan to inspect the USB. Security experts say that people should never use USB devices without knowing where they come from. Hackers and spies can use them as Trojan horses – devices that seem innocuous but are loaded with malware designed to take control of a target’s computer and steal information. The summit had attracted journalists from all over the world. Since reporters are often in contact with business and government officials and gather nonpublic information, their personal devices and newsroom networks could be enticing targets.
Experts say USBs are a common way for hackers to gather information or infect devices. In 2008, Russian agents planted virus-carrying USB sticks in retail kiosks around NATO headquarters in Kabul, Afghanistan, to gain access to a classified Pentagon network, according to the New Yorker. In 2013, Italian newspapers alleged that Russian operatives used USB devices to try to spy on world leaders at a G20 summit in St. Petersburg.
Research suggests that average citizens can also become targets. In 2011, the Department of Homeland Security planted USBs and CDs in government parking lots to test the security practices (and susceptibility) of employees and contractors. Sixty percent of people who picked up the items plugged them into work computers, and if the disks or USBs had an official logo printed on them the rate shot up to 90 percent. In another experiment conducted at the University of Illinois Urbana-Champaign in 2016, researchers dropped nearly 300 USB sticks on campus and found that nearly half the time someone would pick them up and plug them into their computer.
Sergei Skorobogatov, a hardware secruity researcher at the University of Cambridge, tested one of the fans from the summit. In an analysis of the components, Skorobogatov said he found no malicious software functionality inside the fan. But he was quick to add that people shouldn’t let their guard down when it comes to swag. “However, this does not eliminate the possibility of malicious or Trojan components wired to USB connector in other fans, lamps and other end-user USB devices,” he wrote in the analysis published on his staff website and first reported by ZDNet.
In other words, it’s not a good idea to plug unknown devices into the USB ports of your own devices, Skorobogatov said in an interview with The Washington Post. He added that, as in the case of the fans, just because one USB device in a given group is safe, doesn’t mean the rest of them are.
Jake Williams, founder of the cybersecurity firm Rendition Infosec and a former member of the National Security Agency’s hacking group, was also circumspect about the USB fans. He said that malicious actors could have narrowly targeted one reporter who was of special interest out of 100, meaning that most fans may have appeared harmless even as some might have been used to target specific journalists. The extremely small sample size of one fan makes it hard to draw conclusions, he said. But on the general practice of using hardware given to you by strangers or found in public places, he was direct, “It’s horrendously bad.”