Last month, Singapore hosted a summit between the leaders of North Korea and the United States. Accredited journalists invited to the event were given a press kit containing a bottle of water, various paper goods, and a fan that plugs into a USB port.
Understandably, the computer security crowd on Twitter had a great laugh. You shouldn’t plug random USB devices into a computer, especially if you’re a journalist, especially if you’re in a foreign country, and especially if you’re reporting on the highest profile international summit in recent memory. Doing so is just foolhardy.
This is not a story about a USB fan, the teardown thereof, or of spy agencies around the world hacking journalists’ computers. This a story of the need for higher awareness on what we plug into our computers. In this case nothing came of it — the majority of USB devices are merely that and nothing more. One of the fans was recently torn down (PDF) and the data lines are not even connected. (I’ll dive into that later on in this article). But the anecdote provides an opportunity to talk about USB security and how the compulsion to plug every USB device into a computer should be interrupted by a few seconds of thoughtfulness first.
The best example of why you shouldn’t plug a random USB device into your computer is Stuxnet. This worm, discovered in 2010, was specifically designed to compromise Iranian nuclear centrifuges, and had the effect of destroying one-fifth of Iran’s Uranium enrichment capability, and infected hundreds of thousands of computers.
Although it’s been about ten years since the Stuxnet worm was deployed, it remains the most impressive cyber weapon of all time. Stuxnet used four 0-day exploits to specifically target the programmable logic controllers of nuclear centrifuges, gradually increasing and decreasing the operating speed, until one thousand of these machines were destroyed. Whoever wrote Stuxnet — the current best guess is a collaboration between US and Israeli intelligence agencies — had deep knowledge of Windows exploits and the Siemens programmable logic controller software found on these centrifuges. While Stuxnet was quite sophisticated, it was initially deployed using decidedly low-tech means.
Stuxnet first found its way into Iranian nuclear facilities through a USB thumb drive. The exact details are not known, but all signs point to someone plugging an untrusted device into a computer without considering the ramifications.
So just what does an attack with a random USB device look like? Several different approaches have popped up over the years and they’re all rather fascinating.
The best, and easiest, way to get into a computer with a USB device is with a keystroke injection attack. This is best accomplished with a USB Rubber Ducky, a small device that looks like a USB thumb drive. Instead of storage, the USB Rubber Ducky contains a microcontroller that emulates a normal USB keyboard and will send keystroke payloads to a computer automatically. For example, if you’re on a Windows computer, typing Alt+F4 will close your current window. If you program a USB Rubber Ducky to emit the ‘Alt-F4’ keyboard combination when it’s plugged in, the USB Rubber Ducky will close the currently focused window.
These exploits can be expanded. Programming the USB Rubber Ducky with a more sophisticated script could change a computer’s hosts file. Whenever a user types in google.com into their browser’s address bar, the computer would pull up goggle.com. Software payloads could be downloaded through the command line, installing keyloggers. Passwords can be stolen in a matter of seconds with a keystroke injection attack.
This class of attacks falls under the banner of BadUSB attacks, something first discussed in 2014. It’s not just a USB Rubber Ducky, either: normal thumb drives can be reprogrammed to perform keystroke injection attacks, and a one dollar microcontroller can be programmed to perform the same attack.
Concerning implementation, the only necessary components for this attack would be a small microcontroller and a handful of passive components. This microcontroller would connect to the computer over the D+ and D- lines found in every USB port. Given a (physically) small enough microcontroller, a USB spy device could look identical to a USB-powered fan. The only way to tell the difference is to take it apart and look at the circuit board.
TURNIPSCHOOL, a device that becomes a wireless USB keyboard. Source: Michael Ossmann
In addition to a USB ducky, an attack via USB device could take the form of COTTONMOUTH, a device created by the NSA and leaked to the world through the NSA ANT Catalog in 2013. TURNIPSCHOOL is a ‘clone’ of COTTONMOUTH developed by Great Scott Gadgets and demonstrated at Shmoocon 2015. This small circuit board that fits inside the plastic plug of a USB device. This small circuit board can become a custom USB device under remote control. Think of it as a wireless USB keyboard.
But USB attacks aren’t limited to turning a USB fan into a USB keyboard. The USBee attack turns the data bus on a USB connector into an antenna, allowing for data exfiltration over radio. If you’re a state-level actor handing out USB devices to journalists and you want some lulz, the USB Killer is a great choice; this will simply fry the USB port (and possibly more) in any computer.
In short, there are dozens of ways a USB device can be harmful. They all have one thing in common, though: they all use microcontrollers, or obviously complex electronics. All of them will have a connection to the D+ and D- or TX and RX lines in a USB port. Knowing this, we can define a threat model of what an attack via a random USB device will look like. We also know how to test that threat: if there’s some measurable resistance between the D+ and D- lines in the USB port (somewhere between a few hundred kiloohms to a few megaohms), there might be something there.
Thanks to a reporter from The Economist, [Sergei Skorobogatov] of Cambridge University analyzed one of the USB fans distributed at the Singapore summit. The first step of the analysis was to probe the D+ and D- lines of the USB port. These connections are how every USB device transmits data to and from a computer. If these lines are disconnected, no data can be transferred to a computer. The first step of the analysis found a resistance above 1 Gigaohm, suggesting they were disconnected from everything else. Since this is a USB-C connector, the TX1 and TX2 data lines were also probed, finding they too were disconnected from everything else.
[Skorobogatov]’s visual inspection of the circuit board revealed VCONN connected to VBUS through a resistor. Two diodes are on the board, probably to reduce the voltage to the electric motor. There was no complex electronic device inside this particular USB fan distributed at the Singapore conference. This device was clean, but that could only be established after careful inspection.
It should be noted that resistance between the D- and D+ lines in a USB port is not evidence of any spyware, malware, or other spy device. Resistors tied to the data lines of a USB port are used for device negotiation of USB chargers. If the designers of this USB fan wanted to draw more than 500 mA from a USB port (unlikely, but let’s just roll with it), they would have to install resistors on the data lines. Therefore, a complete analysis of any USB must include a visual inspection of the circuit board.
The journalist who started this whole mess by posting the image of the USB fan drive on Twitter is extremely capable and competent. As a war correspondent he faced great peril in Egypt in 2011 and during the Libyan civil war to name just two of his reporting assignments. Simply by virtue of living through those experiences, this journalist knows something about physical security. But computer security is more abstract and the same instincts are harder to apply.
The real story here is that accomplished journalists would be grateful for a random USB device given to them by a foreign government. There is every indication this journalist actually plugged this USB fan into his computer. But even if he went the safe route and opted to use a USB battery or a cable with data lines disconnected to protect against malware, I’m sure others didn’t take precautions. Out of 2500 journalists at the Singapore summit, some unquestionably plugged this threat into their computer.
There is a massive, massive gulf of understanding between otherwise competent professionals and the most basic tenets of computer security. So spread the word when you have the chance: Don’t give your passwords to people. Don’t reuse passwords. And don’t plug random USB devices into your computer.
by Brian Benchoff