While the world’s eyes watch Donald Trump and Kim Jong-Un meet in Singapore, journalists have seemingly been treated rather well while covering the event.
But caution has been advised over one tiny freebie.
Not only have the 3,000 journalists been well-fed during the summit, they’ve also received a goody bag. Inside the bag there’s a bottle of water, a handheld fan featuring Jong-Un’s face, and a Sentosa guidebook. Pretty standard.
However, also enclosed was a blue, innocent-looking mini USB fan, a nod to Singapore’s searing temperatures. Not so hot about it was the information security community.
Media goody bag: Mini USB fan, hand-held fan with #TrumpKim on either side to blow around all the hot air…. and a fun guide to Sentosa. NB: that’s not the delegations playing beach volleyball. pic.twitter.com/fbdKVzr0Cn
— Amanda Drury (@MandyCNBC) June 10, 2018
“Do not plug this in. Do not keep it,” tweeted journalist Barton Gellman, who led coverage on the U.S. National Security Agency after receiving top secret documents from Edward Snowden.
The risk is the device could be a covert method of installing malware onto the computers of journalists covering the summit.
13/ Handig. In de persmap voor de #KimTrumpSummit zit een mini usb fan. Handig om koel te blijven tijdens het schrijven. Het is hier in Singapore idd vrij heet. 33°C of zo. Maar haalt het niet bij Dubai, koning van de oven. pic.twitter.com/6tQd5d7gCW
— Harald Doornbos (@HaraldDoornbos) June 10, 2018
Twitter was abound with messages imploring journalists to not use the fan.
So, um, summit journalists. Do not plug this in. Do not keep it. Drop it in a public trash can or send it to your friendly neighborhood security researcher. Call any computer science department and donate it for a class exercise. I’d be glad to take one off your hands, btw. https://t.co/vz8xjUIjVz
— Barton Gellman (@bartongellman) June 11, 2018
Maybe the fan is just a fan. Bad bet, though. I should probably add: if you did plug it in you’re human. Malware authors abuse the instinct to trust. Until someone competent has a look, I recommend you power down your machine if you can and change passwords with a clean device. https://t.co/vdBVniRQuj
— Barton Gellman (@bartongellman) June 11, 2018
RE-UPPING FOR THE MORNING CROWD IN SINGAPORE.
DON’T PLUG THE FAN INTO YOUR COMPUTER UNLESS YOU WOULD LIKE TO EXPERIENCE SOME CUSTOMIZED MALWARE. https://t.co/y8QUxeUG8r
— Jeremy Bowers (@jeremybowers) June 11, 2018
“It certainly can be a security risk,” Matthew Warren, professor of cyber security at Australia’s Deakin University, explained to Mashable.
“The idea of the USB is a way of connecting devices to computers, and either exchanging data or drawing power for operations. The problem is, there’s been a number of examples where USB devices can be hijacked and malicious code can be put on them.”
“There’s been a number of examples where USB devices can be hijacked and malicious code can be put on them.”
Security researchers Karsten Nohl and Jakob Lell demonstrated malware they had developed, called BadUSB, at the Black Hat Conference back in 2014.
The malware is installed in the firmware of the USB drive, and not in its flash memory storage, which makes it undetectable. It also means other USB peripherals, like fans, can also be used to covertly carry attack code.
Once plugged in, the malware can “completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic,” WIRED noted at the time.
“Security hasn’t been built in to these USB devices,” Warren added. “I certainly wouldn’t be putting [the fan] in my machine.”
Of course, it could be very well and true that the USB fan is just a USB fan. We’ll just have to see about that.
