The story begins with a very recent political summit in Singapore. As oft happens at such an event, there was a give-away schwag bag containing a variety of fabulous gifts such as a small bottle of water, a printed guide to Sentosa, a hand-held President Trump and Kim Jong-un branded fan, and lastly.. a USB/lightning powered fan.
Naturally, the internet security community responded with pleas for the reporters not to plug the device into their phones … “the malware implants will get you!”.
While it is challenging to argue this reasonable point, it is also worth mentioning that at the time, no-one in the community had examined the actual devices distributed. There were even some random screams about how POTUS would get hold of a fan and plug it into one of his personal phones. Fear not Americans, that’s one of the many things USSS/WHCA are there to interdict.
After the initial hullabaloo, similar fans procured outside of the conference were disassembled and examined and then proclaimed clean of malware.
While this is a humorous exercise, it is irrelevant (and Fitz knew that), and does not take into consideration targeted attacks at the event. A custom fan for a custom target you say? Why not? After all, there is historical precedent for targeted gift giving.
After the summit, Roel Schouwenberg of the CAG team was provided an actual summit device via Bart Gellman – known from the WaPo – in order to perform some digital forensic analysis.
Post disassembly, some OS level debugging efforts & limited measurements using oscilloscopes & spectrum analyzers, there wasn’t anything to see. No data transmission of any sort was observed. The resistance of the device went up some over time, but this appeared to be connected to the rising temperature of the device rather than something nefarious. The device that Mr. Gellman obtained seemed to be free of implants.
Does this mean anything? Not particularly. Maybe the person who received the package wasn’t a targeted POI. Maybe the system in question requires being tickled in a specific way to elicit an illicit behavior. Or perhaps none of the fans were dual purpose in nature; eg fan AND surveillance implant. This is a difficult problem to address without reviewing ALL the potentially poisoned pills.
With that being taken into consideration, we will offer several high-octane conjectures with references in order to express how we might utilize this ill-fated fan as some form of electronic espionage device. Apply some creativity and make certain to watch the videos.
- All tech has unique identifiers, for example every phone, computer and even typewriter have unique fingerprints. Even a disposable fan.
- In terms of the spooky fan, there is no battery. However, there is a motor…which if built to “custom spec” might oscillate at a specific frequency providing a specific electronic signature when operating. This could be used to profile the target, or perhaps something even more interesting. Hit the Google for Mossman’s various projects.
- In the world of crypto & hardware hacking, side-channels are common attack vectors. This ranges from power consumption to electromagnetic leaks, behavior of specific electronic components within gear under specific conditions. A reasonable analog of those side channels is metadata. You can often inspect metadata without directly probing a particular technology. Now, imagine a factory installed battery that is designed to track keystrokes and user activity (phone, email, chat) by baselining and tracking power flow to the unit. Each character and action creates a power spike! There’s even an easy way to exfil the data since most mobiles are internet connected 24/7. Pwn the phone without touching the OS/Baseband. Cool right? It’s been done.
- Envision a 3d printed WiFi connected plastic object, and metamaterial printed antenna utilizing local WiFi RF backscatter to provide power and to connect to the internet. Imagine creating a heatmap of a room or a vehicle using the reflected WiFi signals and exfiltrating the WiFi hologram outbound, all without a battery.
We advise against plugging in electronics that are handed out. Instead, give them to your friendly neighborhood researcher who understands Cyber and EW. Ideally, put the electronics in a Faraday bag upon receipt.
In closing, cyber is a popular vector but not the only one. The opposition knows this, meanwhile the security community tends to eschew this reality. Furthermore, the most vocal “Cyber” experts are rarely TSCM experts. That arcane area of expertise tends to be populated with silent professionals who avoid the Twitterverse.
Written by: Roel, Dan, Mick & Dan