Not a Fan of The Fan: Security Concerns Raised Over Summit Gift

Photo credit: @MandyCNBC 

In recounting the story of the Trojan Horse in The Aeneid, Virgil penned the now famous phrase, “Beware Greeks bearing gifts.” It seems the same caution was required at the diplomatic summit between U.S. President Donald Trump and North Korean leader Kim Jong-un, which was recently held in Singapore.  

The 3,000 journalists covering the historic summit all received a goodie bag that included a bottle of water, a hand-held fan with Kim’s face printed on it, and a guidebook to Sentosa island, the resort where the talks are taking place.

Also included was a USB-powered fan to help cool the reporters down while they typed their stories in the sweltering heat of Singapore, which is currently over 90F/33C. While some journalists considered it a thoughtful gift, many of those who cover the cybersecurity beat saw a potential threat.

As a company founded in Singapore (now with headquarters in Singapore and Switzerland), Acronis has civic pride in what the summit might accomplish.

As a global cyber protection company, we have a professional interest in the security concerns raised by the USB device given to reporters.

Barton Gellman, a seasoned reporter who covered the U.S. National Security Agency after getting documents from Edward Snowden, offered a simple warning via Twitter. “So, um, summit journalists. Do not plug this in. Do not keep it,” adding, “Maybe the fan is just a fan. Bad bet, though.”

The warnings from Gellman and others come because there’s a long history of USB devices, flash drives, and memory sticks being used as a way to deliver malware, avoiding the security measures that would otherwise block access to a computer.

While no threat from the fan has been confirmed, the antennae of security experts are up for good reasons.

The threat posed by USBs as a way to deliver malware has been known for a long time. Perhaps the most famous instance was the Stuxnet worm, which was a joint operation of the U.S. and Israel that targeted Iran’s nuclear enrichment facilities. A double agent simply used an infected USB thumb drive to inject malware into the Iranian systems and deliver the advanced persistence threat (APT) attack that crippled the Natanz nuclear facility.

That state-run operation may be the most notorious incident, but the use of poisoned USB drives has been seen in many other instances. In the Australian neighborhood of Pakeham in Victoria, criminals were leaving USB sticks in residents’ mailboxes that offered access to Netflix, but delivered ransomware instead. Even the International Space Station has been infected by malware that was delivered by a USB drive.

The problem is that no security measures are built into USB drives and devices, making them easy to hijack. So while the fan distributed to journalists covering the summit might simply draw power from the computer, there’s also a good chance it could be delivering a malicious payload.

Contributing to the suspicion of these USB fans is North Korea’s presence at the summit. Under the leadership of Kim Jong-un, North Korea has grown its cyber-attack capabilities at a far greater pace than any other country. Hackers linked to Pyongyang have deployed new tools and escalated operations against financial targets and organizations around the world. They’ve been linked to several high-profile hacks, including the 2014 attack on Sony Pictures and last year's global WannaCry attack.

A North Korean hacking group allegedly backed by Pyongyang could launch a cyber espionage operation to steal critical information – and one such operation was uncovered recently. Called GhostSecret, the attack stole data from 17 countries.

With more than 3,000 journalists from countries around the world gathering in Singapore, there could be a strong temptation to spy on them. Reporters often rely on sensitive documents and sources. By infecting their computers, a nation’s intelligence agency could not only access those files, but could identify sources that the reporter is talking to – including those anonymous sources who mightbe providing insights that a secretive nation like North Korea would prefer to keep quiet.

Again, while no threat has been confirmed at this point, the combination of USB devices and the potential intelligence that could be mined could prove too tempting – which is why security experts warn against using the USB fans.

The best way to avoid getting a malware infection is to be suspicious of all USB devices. As simple as that sounds, it goes against our natural instinct to trust people.

How often do people use USBs of unknown origin? Just read the report by researchers from the University of Michigan, University of Illinois Urbana-Champaign, and Google. They left approximately 300 USB thumb drives around six campus locations. At least 45 percent of those devices were plugged into a computer.

No- or low-cost tools to test USB drives for malware do exist, like CIRCLean, which uses cheap Raspberry Pi hardware disconnected from any network or other peripheral, scans the suspect USB drive for known malware threats, converts potential malware-hiding file formats like .PDFs to the safer HTML format, and (if no malware is revealed) allows those files to be transferred to a known safe USB device. The obvious risk is the potential to compromise a $5 single-board computer, but few SecOps professionals would trust such a solution to defend valuable business data against USB-borne threats.

The lowest risk option is to remain extremely suspicious of unknown USB drives. Micheal Baily, one of the report’s researchers (University of Illinois Urbana-Champaign) explained to PC World that “In the current world, there is no advice...except to know the provenance of the USB drive. Do not trust, don’t plug or insert untrusted media into your computer.” 

In the same article, Chris Novak, a director with Verizon’s RISK team, offered PC World a simple trick for avoiding USB infections. “Think of USB sticks like toothbrushes and then you will not be so quick to pick it up and share it.”

The BBC reports that “the gift packs were assembled by the Singapore state company which manages the island of Sentosa where the summit took place,” which has no known connections to the North Korean regime. That fact might reassure some people that the USB fans are harmless, but the smart approach is to always assume that any USB of unknown origin could carry malware.

That is sound advice whether you are at home, at work, or covering a historic summit between two adversaries who are trying to put 70 years of distrust behind them.