"It is already possible for an assassin to send someone an e-mail with an innocent-looking attachment. When the receiver downloads the attachment, the electrical current and molecular structure of the central processing unit is altered, causing it to blast apart like a large hand grenade.”
I feel like that might have been what took out a neighbor down the street.
Sorry, I got distracted by the newspaper clipping in the article and had to laugh.
"If you want to try it, be aware that it requires Intel Pentium 166MHz or above."
Made me laugh. Fun article, also really love the genre of "bored smart person goes too deep on something that the end result is obvious by common sense but proving it requires surprising amount of ingenuity and scrappiness"
And a great example that truth is complicated, expensive and uncomfortable. It's much easier to postulate an evil nation-state entity with a bad plan (without evidence) than to dig through the thicket of this article. It's much cheaper as well, certainly in terms of time and knowhow. And it's also much more comfortable to claim you're the victim and have uncovered a conspiracy, rather than realize this was just the result of the patchwork typical of engineering.
I would also add, it's not _unreasonable_ to be wary of something when a tool like a virus scan pops up a warning. The jargon used to explain what the executable is doing is gibberish to any 'normal' user, there's no way for them to know it's listing stuff you'd more or less expect it to be doing.
Of course, there's a bit of a jump from that to making bold claims about what it's doing, but the initial concern was understandable.
Yeah, the insane takes spread faster but it takes more time and resources to look into it than just come to conclusions early.
The worst thing is this creates an environment where most people are either completely credulous and buy into everything or completely incredulous and think everything is unfounded. It's just exhausting to have a healthy level of skepticism these days, and maybe 1 out of 1000 times (number source: from thin air) something that sounds insane actually has some truth to it.
I came across the tweet about this "Evil" dongle and instantly recognized it as the exact same thing I worked on before... It's not evil, it's just annoying.
In my case I disabled the SPI flash module to have it not appear as a CD drive, the author of this post actually found some documentation about the SPI being optional. Funnily enough this post now also gives you all the tooling to make an actual evil RJ45 dongle by reflashing one :D
What happened to U3 at the top left in the image of the flash chip?
Looks like they had a footprint for a diode in a 3-pin SOT23 package and found they didn't have stock of the special part, so they installed a SOD323 diode at a 30 degree angle across two pins...
Shorting almost any two of the communication lines of the flash chip will corrupt the communication enough that the ethernet controller thinks there's no flash installed at all.
I have no idea about S0 but CS is usually chip select. It should be sufficient to short it to prevent the chip from being selected. However CS is frequently inverted and you would have to pull it up to prevent the chip selection, so maybe S0 is always high and inhibit CS
I actually really appreciate USB devices that masquerade as a storage device to provide their own drivers. I suppose in this day and age the "right" thing to do is to upload a bunch of stuff to microsoft servers so that it downloads whatever is needed upon getting plugged in, but I've observed enough stuff needing manually installed drivers to know that this isn't as apparently easy as it may appear to be. (For example, I very often need to download vendor-specific ADB drivers)
Anyways, I think it's clever for peripherals to help you bootstrap, and having the drivers baked into the device makes things a little easier instead of trying to find a canonical download source.
>I actually really appreciate USB devices that masquerade as a storage device to provide their own drivers.
I appreciate the ones that don't need their own drivers in the first places. Sure something needs special drivers but things like usb sticks and mice should just work using the default ones and let you get the updates from the internet if you want them.
I appreciate them working out-of-the-box on Linux even more. And they mostly do, with Linux being the best PnP (Plug'n'Play — remember that with Windows 95? :) OS today.
But multiple modes of operation really made it harder for to configure devices like those 4G/LTE USB dongles: they will either present as USB storage, or one type of serial device or a CDC-ACM modem device (or something of the sort), requiring a combination of the tools + vendor-specific AT commands to switch it into the right mode. Ugh, just get me back those simple devices that do the right thing OOB.
I'm not sure what the current state of the art is, but for the longest time it was pretty common for USB peripheral ICs to have small flash devices attached to them in order to be able to store VID/PID and other USB config information, so that the device is enumerated correctly when it's plugged in and can be associated with the correct driver etc. And depending on when the device was designed, 512kB might have been the smallest size that was readily available via supply chain. It would not have been strange to use a device like that to store 10s of bytes!
The ISO thing is a little bit weird, but to be honest it's a creative way to try to evade corporate IT security policies restricting mass storage USB devices. I think optical drives use a different device class that probably evades most restrictions, so if you enumerate as a complex device that's a combo optical drive/network adapter, you might be able to install your own driver even on computers where "USB drives" have been locked out!
I don't mind calling the connector an RJ45, but calling this thing an "RJ45 dongle" makes my eye twitch. It's an Ethernet dongle - RJ45 can be used for a lot of other things. For example I've seen "RJ45 dongles" that convert USB to RS232 serial for the console ports on a lot of networking equipment.
TIL. After maybe 25 years of using this connector, I've never heard it called 8P8C. I knew Ethernet has used other physical layers including coax, which I used to run between Amigas way back in the day. But, today I finally learned about 8P8C.
RJ45 isn't even actually the same connector, at least not in the original FCC naming. That was an 8P8C keyed modular connector. RJ45 connectors had only two of the positions connected to wires (one phone line) an internal resistor between two of the other positions, and a keying bar that stuck out of the plug so they wouldn't even go into the unkeyed 8P8C jacks we use for Ethernet.
So I'll still call them RJ45 connectors. Because nobody has time to say "8P8C unkeyed modular connector" every time!
>Malicious hardware has plenty of precedent: it’s been used by intelligence agencies and private pentesters alike. Heck, a bit over a decade ago, I built an evil plasma globe for work. Still, we weren’t here to debate whether a malicious RJ45-to-USB adapter could be made. The important question was whether in this particular instance — as the poster put it — “the Chinese were at it again”.
Embedded storage was actually very common some decades ago, remember seeing it in a lot of devices, mostly 3G USB Modems, there was even a AT command to enable/disable it.
Seems that the origin of the "chinese hack" theory can be just resumed to: younger people not being used to this kind of old stuff.
A harmful connection to the Ethernet port would be extremely difficult. A harmful connection to a USB port is extremely easy. Call it what it is: an "Evil" USB dongle that happens to also have an Ethernet socket.
On the general topic of USB to 1000BASE-T (and now 2.5 GBaseT) dongles, for people who care about performance, it's good to know about the distinction between those that are USB devices and those that are PCI-Express devices.
Basically, what do you get if you hotplug it into a laptop running a current linux kernel and do "sudo lsusb -v" vs "sudo lspci -v"?
The ones that are native PCIE devices offer much better performance, up to 2.5 GBASET line rate, and will communicate with the host over the implementation of thunderbolt over USB.
The ones that are USB only might work okay, but there's a reason they're cheap.
Of course a cheaper laptop also won't have any implementation of thunderbolt on it, so that's something to consider as well.
I've only got superficial knowledge in this regard, so please take it with a grain of salt, but: the way I understand it is that PCIE has full direct memory access, so devices connected through it can use zero copy and similar techniques to access and process data much faster, especially with lower latencies than over regular USB. Using USB might/will require copying the data to transfer/read from and to different buffers, between user/kernel space, etc.
USB doesn’t provide any DMA (until USB 4) and requires more host cpu resources to meet the same bandwidth. It also has less consistent performance by virtue of the USB protocol itself.
I'm guessing if I accidentally got a pci-e one, it wouldn't work in any of the USB ports I would connect it to (as, to my knowledge, I only have USB ports), or do they generally fall back to working as a USB device?
USB-to-Ethernet adapters are life savers when you need to:
(A) replace your WiFi adapter - download drivers from internet
(B) configure a router or other equipment (hard to configure WiFi without WiFi).
(C) stand up your Linux install on your laptop (easiest way to futz around until you get WiFi adapter working - but check chipset on adapter is compatible which the cheapest usually are)
You don't usually care about the performance. Just keep a cheap one in your box of shit - I need mine often enough. If you need high performance, then buy a high performance adapter.
Not saying they're not useful for specific purposes. But anyone buying them hoping to improve performance compared to their WiFi, often comes away very disappointed.
In my case A) and B) are irrelevant because I only really own or deal with laptops now days, and they invariably have built in WiFi, but usually not built-in Ethernet!
Old custom software, old hardware, vendor wants all the $ for an upgrade, we refuse to pay. I took 10 desktop pc's($500 each) replaced servers ($20k each), one usb to ethernet dongle in every pc b/c we needed 2 network ports and we had this laying around, USB3 to GB, slap virtualization with USB passthrough. They work for 5+ years, gigabit speed, 24/7 with no problems.
People should have more faith in dongles. Not all are bad.
In my experience they always held up the 100 Mbit/sec claim for lower-end variants, and an acceptable 350-ish Mbit/sec on USB2-backed GbE devices. I have no experience with GbE USB3 dongles.
RTL8156B does line-rate 2.5 Gbit/s no problem, most USB-C docks with network have a RTL8153B in them and that does line rate as well. Even mildly dodgy first-generation stuff like AX88179 generally works.
I.M.H.O. these USB dongles are actually preferable to the much more expensive Thunderbolt dongles praised below, because a) they work on regular USB ports as well b) they do not require Thunderbolt c) they use less power and d) they don't force a highly ventilated cooling mode on certain host systems. And, fwiw, at least some Thunderbolt docks actually used USB NICs connected to the internal USB controller, which was hooked up over PCIe.
I don’t remember the exact issues, but I remember seeing years ago my old Intel MacBook had noticeably higher cpu usage when connected to and using a Pluggable dock which had a Realtek Ethernet chipset. Switching to WiFi reduced cpu usage. AFAIK had something to do with bad and/or lack of hardware processing in the Realtek chipset so it had to do it on the cpu.
Now I never trust anything with Realtek in it, and if buying anything with an Ethernet port, I try to make sure it’s not Realtek. Is this still valid concern, or is Realtek better now?
It proves it might be possible to backdoor it. Maybe.
I don't know of any modern systems that will execute anything on a newly inserted drive, nor boot from an external drive in the default configuration.
So we are missing a couple of things. First, a vulnerability in the OS/system. Second, an implementation of that vulnerability in a device like this.
Should this design be phased out? Perhaps. There is relatively little difference between not populating the flash memory part of the board and a proper network-only implementation.
"It is already possible for an assassin to send someone an e-mail with an innocent-looking attachment. When the receiver downloads the attachment, the electrical current and molecular structure of the central processing unit is altered, causing it to blast apart like a large hand grenade.”
I feel like that might have been what took out a neighbor down the street.
Sorry, I got distracted by the newspaper clipping in the article and had to laugh.
"If you want to try it, be aware that it requires Intel Pentium 166MHz or above."
Made me laugh. Fun article, also really love the genre of "bored smart person goes too deep on something that the end result is obvious by common sense but proving it requires surprising amount of ingenuity and scrappiness"
Don't forget `I was ready to head over to the Dark Web (amazon.com) and purchase one of the dongles just to dump the contents of the memory chip.`
Totally agree.
And a great example that truth is complicated, expensive and uncomfortable. It's much easier to postulate an evil nation-state entity with a bad plan (without evidence) than to dig through the thicket of this article. It's much cheaper as well, certainly in terms of time and knowhow. And it's also much more comfortable to claim you're the victim and have uncovered a conspiracy, rather than realize this was just the result of the patchwork typical of engineering.
Kudos to the author.
I would also add, it's not _unreasonable_ to be wary of something when a tool like a virus scan pops up a warning. The jargon used to explain what the executable is doing is gibberish to any 'normal' user, there's no way for them to know it's listing stuff you'd more or less expect it to be doing.
Of course, there's a bit of a jump from that to making bold claims about what it's doing, but the initial concern was understandable.
Yeah, the insane takes spread faster but it takes more time and resources to look into it than just come to conclusions early.
The worst thing is this creates an environment where most people are either completely credulous and buy into everything or completely incredulous and think everything is unfounded. It's just exhausting to have a healthy level of skepticism these days, and maybe 1 out of 1000 times (number source: from thin air) something that sounds insane actually has some truth to it.
2 replies →
I came across the tweet about this "Evil" dongle and instantly recognized it as the exact same thing I worked on before... It's not evil, it's just annoying.
https://blog.brixit.nl/making-a-usb-ethernet-adapter-work-sr...
In my case I disabled the SPI flash module to have it not appear as a CD drive, the author of this post actually found some documentation about the SPI being optional. Funnily enough this post now also gives you all the tooling to make an actual evil RJ45 dongle by reflashing one :D
What happened to U3 at the top left in the image of the flash chip?
Looks like they had a footprint for a diode in a 3-pin SOT23 package and found they didn't have stock of the special part, so they installed a SOD323 diode at a 30 degree angle across two pins...
I'm pretty sure that's exactly what happened
Hm, why does shorting CS and S0 make it not work?
Shorting almost any two of the communication lines of the flash chip will corrupt the communication enough that the ethernet controller thinks there's no flash installed at all.
I have no idea about S0 but CS is usually chip select. It should be sufficient to short it to prevent the chip from being selected. However CS is frequently inverted and you would have to pull it up to prevent the chip selection, so maybe S0 is always high and inhibit CS
3 replies →
I actually really appreciate USB devices that masquerade as a storage device to provide their own drivers. I suppose in this day and age the "right" thing to do is to upload a bunch of stuff to microsoft servers so that it downloads whatever is needed upon getting plugged in, but I've observed enough stuff needing manually installed drivers to know that this isn't as apparently easy as it may appear to be. (For example, I very often need to download vendor-specific ADB drivers)
Anyways, I think it's clever for peripherals to help you bootstrap, and having the drivers baked into the device makes things a little easier instead of trying to find a canonical download source.
>I actually really appreciate USB devices that masquerade as a storage device to provide their own drivers.
I appreciate the ones that don't need their own drivers in the first places. Sure something needs special drivers but things like usb sticks and mice should just work using the default ones and let you get the updates from the internet if you want them.
I appreciate them working out-of-the-box on Linux even more. And they mostly do, with Linux being the best PnP (Plug'n'Play — remember that with Windows 95? :) OS today.
But multiple modes of operation really made it harder for to configure devices like those 4G/LTE USB dongles: they will either present as USB storage, or one type of serial device or a CDC-ACM modem device (or something of the sort), requiring a combination of the tools + vendor-specific AT commands to switch it into the right mode. Ugh, just get me back those simple devices that do the right thing OOB.
> (Plug'n'Play — remember that
I remember it as Plug-n-Pray
1 reply →
In this specific case it makes a bit more sense, as when you need to install a RJ45 dongle is likely when you don't have a network connection.
I'm not sure what the current state of the art is, but for the longest time it was pretty common for USB peripheral ICs to have small flash devices attached to them in order to be able to store VID/PID and other USB config information, so that the device is enumerated correctly when it's plugged in and can be associated with the correct driver etc. And depending on when the device was designed, 512kB might have been the smallest size that was readily available via supply chain. It would not have been strange to use a device like that to store 10s of bytes!
The ISO thing is a little bit weird, but to be honest it's a creative way to try to evade corporate IT security policies restricting mass storage USB devices. I think optical drives use a different device class that probably evades most restrictions, so if you enumerate as a complex device that's a combo optical drive/network adapter, you might be able to install your own driver even on computers where "USB drives" have been locked out!
For a time, windows would more readily run an autorun from a disc than from a usb stick. Even if that disc was in an emulated usb disk drive.
That's because there was malware that spread via autorun, which is rather harder to do with read-only media, even if it's emulated.
And the "u3" flash drives that did this were a hot commodity for a little while!
Then came the iODD and the IsoStick...
RJ45 nazi here: these should be called 8P8C
I’ll show myself out
I don't mind calling the connector an RJ45, but calling this thing an "RJ45 dongle" makes my eye twitch. It's an Ethernet dongle - RJ45 can be used for a lot of other things. For example I've seen "RJ45 dongles" that convert USB to RS232 serial for the console ports on a lot of networking equipment.
At least they didn’t call it a wired WiFi dongle.
https://studiohub.com/
Or RJ31X or RJ38X, both of which did use the 8P8C modular connector in its unkeyed configuration.
Heh I think anyone who studies for the Network+ ends up debating every time RJ45 is mentioned whether to make this comment or not haha
Don't show yourself out. Stay and remind people. It's important, since these two aren't interchangeable in both directions.
TIL. After maybe 25 years of using this connector, I've never heard it called 8P8C. I knew Ethernet has used other physical layers including coax, which I used to run between Amigas way back in the day. But, today I finally learned about 8P8C.
RJ45 isn't even actually the same connector, at least not in the original FCC naming. That was an 8P8C keyed modular connector. RJ45 connectors had only two of the positions connected to wires (one phone line) an internal resistor between two of the other positions, and a keying bar that stuck out of the plug so they wouldn't even go into the unkeyed 8P8C jacks we use for Ethernet.
So I'll still call them RJ45 connectors. Because nobody has time to say "8P8C unkeyed modular connector" every time!
2 replies →
Related:
Cheap rj45 ethernet to USB adapter contains malware
https://news.ycombinator.com/item?id=42679498
Are there "evil" USB ethernet dongles? Of course there are...(just not this one)
https://hak5.org/products/lan-turtle
The article admits this explicitly:
>Malicious hardware has plenty of precedent: it’s been used by intelligence agencies and private pentesters alike. Heck, a bit over a decade ago, I built an evil plasma globe for work. Still, we weren’t here to debate whether a malicious RJ45-to-USB adapter could be made. The important question was whether in this particular instance — as the poster put it — “the Chinese were at it again”.
Not to mention the evil ethernet patch cable:
https://imgur.com/Gpgj7w7
Embedded storage was actually very common some decades ago, remember seeing it in a lot of devices, mostly 3G USB Modems, there was even a AT command to enable/disable it.
Seems that the origin of the "chinese hack" theory can be just resumed to: younger people not being used to this kind of old stuff.
A harmful connection to the Ethernet port would be extremely difficult. A harmful connection to a USB port is extremely easy. Call it what it is: an "Evil" USB dongle that happens to also have an Ethernet socket.
Brought to you by Epcyber CEO. All their trainings are OSINT on China. Of course this company is full of clickers, using just automated tools.
@lcamtuf: It's Igor Pavlov, not Ivan Pavlov
On the general topic of USB to 1000BASE-T (and now 2.5 GBaseT) dongles, for people who care about performance, it's good to know about the distinction between those that are USB devices and those that are PCI-Express devices.
Basically, what do you get if you hotplug it into a laptop running a current linux kernel and do "sudo lsusb -v" vs "sudo lspci -v"?
The ones that are native PCIE devices offer much better performance, up to 2.5 GBASET line rate, and will communicate with the host over the implementation of thunderbolt over USB.
The ones that are USB only might work okay, but there's a reason they're cheap.
Of course a cheaper laptop also won't have any implementation of thunderbolt on it, so that's something to consider as well.
Could you elaborate on why the USB ones are worse?
Per Wikipedia, USB 3.0 (from 2008) can reach 5 Gbit/s, so (naively?) one would expect them to reach 2.5 GbE line rate easily, right?
I've only got superficial knowledge in this regard, so please take it with a grain of salt, but: the way I understand it is that PCIE has full direct memory access, so devices connected through it can use zero copy and similar techniques to access and process data much faster, especially with lower latencies than over regular USB. Using USB might/will require copying the data to transfer/read from and to different buffers, between user/kernel space, etc.
USB doesn’t provide any DMA (until USB 4) and requires more host cpu resources to meet the same bandwidth. It also has less consistent performance by virtue of the USB protocol itself.
3 replies →
Realtek RTL8156 (USB 2.5G ethernet) is fast and rock solid, even for server use cases. I’d take it over an i225 any day
I'm guessing if I accidentally got a pci-e one, it wouldn't work in any of the USB ports I would connect it to (as, to my knowledge, I only have USB ports), or do they generally fall back to working as a USB device?
All USB-to-Ethernet adapters are pretty evil in my experience. Always terrible performance, often slower than WiFi.
USB-to-Ethernet adapters are life savers when you need to:
(A) replace your WiFi adapter - download drivers from internet
(B) configure a router or other equipment (hard to configure WiFi without WiFi).
(C) stand up your Linux install on your laptop (easiest way to futz around until you get WiFi adapter working - but check chipset on adapter is compatible which the cheapest usually are)
You don't usually care about the performance. Just keep a cheap one in your box of shit - I need mine often enough. If you need high performance, then buy a high performance adapter.
Not saying they're not useful for specific purposes. But anyone buying them hoping to improve performance compared to their WiFi, often comes away very disappointed.
In my case A) and B) are irrelevant because I only really own or deal with laptops now days, and they invariably have built in WiFi, but usually not built-in Ethernet!
3 replies →
Old custom software, old hardware, vendor wants all the $ for an upgrade, we refuse to pay. I took 10 desktop pc's($500 each) replaced servers ($20k each), one usb to ethernet dongle in every pc b/c we needed 2 network ports and we had this laying around, USB3 to GB, slap virtualization with USB passthrough. They work for 5+ years, gigabit speed, 24/7 with no problems.
People should have more faith in dongles. Not all are bad.
In my experience they always held up the 100 Mbit/sec claim for lower-end variants, and an acceptable 350-ish Mbit/sec on USB2-backed GbE devices. I have no experience with GbE USB3 dongles.
RTL8156B does line-rate 2.5 Gbit/s no problem, most USB-C docks with network have a RTL8153B in them and that does line rate as well. Even mildly dodgy first-generation stuff like AX88179 generally works.
I.M.H.O. these USB dongles are actually preferable to the much more expensive Thunderbolt dongles praised below, because a) they work on regular USB ports as well b) they do not require Thunderbolt c) they use less power and d) they don't force a highly ventilated cooling mode on certain host systems. And, fwiw, at least some Thunderbolt docks actually used USB NICs connected to the internal USB controller, which was hooked up over PCIe.
I don’t remember the exact issues, but I remember seeing years ago my old Intel MacBook had noticeably higher cpu usage when connected to and using a Pluggable dock which had a Realtek Ethernet chipset. Switching to WiFi reduced cpu usage. AFAIK had something to do with bad and/or lack of hardware processing in the Realtek chipset so it had to do it on the cpu.
Now I never trust anything with Realtek in it, and if buying anything with an Ethernet port, I try to make sure it’s not Realtek. Is this still valid concern, or is Realtek better now?
1 reply →
[dead]
[dead]
TLDR: it is not "evil"
So many wtf here. If anything this proves it is backdoored network card
1) downloading Windows exe files from Chinese forums
2) the USB storage provided by network card can still contain malware,
3) or can be accidentally booted from
4) it has universal USB controller, so can become any HID device: keyboard, mouse...
>2) the USB storage provided by network card can still contain malware,
That seems unlikely given that "malware" is signed by Microsoft Windows Hardware Compatibility Publisher.
https://news.ycombinator.com/item?id=42680282
It proves it might be possible to backdoor it. Maybe.
I don't know of any modern systems that will execute anything on a newly inserted drive, nor boot from an external drive in the default configuration.
So we are missing a couple of things. First, a vulnerability in the OS/system. Second, an implementation of that vulnerability in a device like this.
Should this design be phased out? Perhaps. There is relatively little difference between not populating the flash memory part of the board and a proper network-only implementation.