Site icon Celsus Advisory Group

“Beware of geeks bearing gifts”

The story begins with a very recent political summit in Singapore. As oft happens at such an event, there was a give-away schwag bag containing a variety of fabulous gifts such as a small bottle of water, a printed guide to Sentosa, a hand-held President Trump and Kim Jong-un branded fan, and lastly.. a USB/lightning powered fan.

Note the size, as well as spiffy lightening adapter included for maximum Apple support!

Naturally, the internet security community responded with pleas for the reporters not to plug the device into their phones … “the malware implants will get you!”.

While it is challenging to argue this reasonable point, it is also worth mentioning that at the time, no-one in the community had examined the actual devices distributed. There were even some random screams about how POTUS would get hold of a fan and plug it into one of his personal phones. Fear not Americans, that’s one of the many things USSS/WHCA are there to interdict.

After the initial hullabaloo, similar fans procured outside of the conference were disassembled and examined and then proclaimed clean of malware.

While this is a humorous exercise, it is irrelevant (and Fitz knew that), and does not take into consideration targeted attacks at the event. A custom fan for a custom target you say? Why not? After all, there is historical precedent for targeted gift giving.

After the summit, Roel Schouwenberg of the CAG team was provided an actual summit device via Bart Gellman – known from the WaPo – in order to perform some digital forensic analysis.

Post disassembly, some OS level debugging efforts & limited measurements using oscilloscopes & spectrum analyzers, there wasn’t anything to see. No data transmission of any sort was observed. The resistance of the device went up some over time, but this appeared to be connected to the rising temperature of the device rather than something nefarious. The device that Mr. Gellman obtained seemed to be free of implants.

Note the “excellent” soldering! At least it has a flyback diode so it doesn’t immediately fry whatever it’s plugged into.

Does this mean anything? Not particularly. Maybe the person who received the package wasn’t a targeted POI. Maybe the system in question requires being tickled in a specific way to elicit an illicit behavior. Or perhaps none of the fans were dual purpose in nature; eg fan AND surveillance implant. This is a difficult problem to address without reviewing ALL the potentially poisoned pills.

With that being taken into consideration, we will offer several high-octane conjectures with references in order to express how we might utilize this ill-fated fan as some form of electronic espionage device. Apply some creativity and make certain to watch the videos.

We advise against plugging in electronics that are handed out. Instead, give them to your friendly neighborhood researcher who understands Cyber and EW. Ideally, put the electronics in a Faraday bag upon receipt.

In closing, cyber is a popular vector but not the only one. The opposition knows this, meanwhile the security community tends to eschew this reality. Furthermore, the most vocal “Cyber” experts are rarely TSCM experts. That arcane area of expertise tends to be populated with silent professionals who avoid the Twitterverse.

Written by: Roel, Dan, Mick & Dan

Exit mobile version