Concerns about state-sponsored malware from a USB-powered fan might be overblown.
Journalists attending the meeting between President Donald Trump and North Korean dictator Kim Jong Un last month received a welcome bag that included a small rotary fan they could plug into their phones and computers. The gadget might have seemed enticing -- the meeting was in steamy Singapore -- but security experts across social media warned reporters against it, pointing out it could contain malware.
We got a lightning-cable version of the fan and sent it to TrustedSec researchers. They took the fan apart and found no malware. That lines up with what Sergei Skorobogatov, a University of Cambridge security researcher, discovered on the USB-C fan version in the first week of July.
While both fans were clean, the warnings weren't over the top. USB devices are often used for espionage. In 2013, Russian agents reportedly gave infected flash drives to foreign leaders at the G20 summit, according to Italian newspapers. The New Yorker also reported that Russian agents purposely left malware-packed thumb drives around NATO's headquarters in 2008, hoping a US official would use it. And last year, IBM warned customers to destroy USB drives that shipped out with malware on them.
State hacking is also a legitimate concern, especially considering North Korea's capabilities and the high-profile of the June 12 summit. It's happened recently. US special counsel Robert Mueller filed charges against 12 Russian hackers behind a cyberattack on the Democratic National Committee, days before President Trump set to meet with with Russian president Vladimir Putin on Monday in Finland.
Rob Simon, TrustedSec's senior security consultant, started the analysis by doing what everyone warned against -- he plugged the USB fan into a jailbroken iPhone, which is more susceptible to viruses.
"Our idea was to plug it into a device first and see if we can detect anything happening on the network," Simon said. "There were no changes to the iOS that we could detect."
The second test was to cut the fan open and see what was on the USB device's circuit board.
"We took it apart to see if it even had a capability to provide any data," he said.
The lightning connector was linked to a 6-pin chip, with two capacitors for powering the fan.
Some pins on the chip were able to transfer data, but they didn't appear to be active, Simon said. It's most likely those pins were there to allow the lightning connector to be reversible, he added.
Based on the breakdown, TrustedSec's researchers concluded it was unlikely the USB fan had any malware on it. Singapore's government also said the USB fans didn't have any storage or processing capabilities.
Still though, it's generally good cybersecurity practice to avoid plugging in any USB devices you aren't familiar with. Just because these fans are safe doesn't mean every other one is.