Hacker Remix

Investigating an "Evil" RJ45 Dongle

236 points by zdw 5 hours ago | 70 comments

klik99 5 hours ago

"If you want to try it, be aware that it requires Intel Pentium 166MHz or above."

Made me laugh. Fun article, also really love the genre of "bored smart person goes too deep on something that the end result is obvious by common sense but proving it requires surprising amount of ingenuity and scrappiness"

er4hn 4 hours ago

Don't forget `I was ready to head over to the Dark Web (amazon.com) and purchase one of the dongles just to dump the contents of the memory chip.`

fishstock25 4 hours ago

Totally agree.

And a great example that truth is complicated, expensive and uncomfortable. It's much easier to postulate an evil nation-state entity with a bad plan (without evidence) than to dig through the thicket of this article. It's much cheaper as well, certainly in terms of time and knowhow. And it's also much more comfortable to claim you're the victim and have uncovered a conspiracy, rather than realize this was just the result of the patchwork typical of engineering.

Kudos to the author.

DSMan195276 4 hours ago

I would also add, it's not _unreasonable_ to be wary of something when a tool like a virus scan pops up a warning. The jargon used to explain what the executable is doing is gibberish to any 'normal' user, there's no way for them to know it's listing stuff you'd more or less expect it to be doing.

Of course, there's a bit of a jump from that to making bold claims about what it's doing, but the initial concern was understandable.

klik99 4 hours ago

Yeah, the insane takes spread faster but it takes more time and resources to look into it than just come to conclusions early.

The worst thing is this creates an environment where most people are either completely credulous and buy into everything or completely incredulous and think everything is unfounded. It's just exhausting to have a healthy level of skepticism these days, and maybe 1 out of 1000 times (number source: from thin air) something that sounds insane actually has some truth to it.

fishstock25 4 hours ago

Yeah, for a substantial fraction of people, this case will stick to their minds as "oh the chinese .. again" It's both sad and scary. It was even submitted to HN. Flagged by now, but still. Many people won't have read this follow-up, especially since it doesn't come as a 1-sentence TL;DR..

dgfitz 2 hours ago

Hmm, why is it sad and scary?

MartijnBraam 4 hours ago

I came across the tweet about this "Evil" dongle and instantly recognized it as the exact same thing I worked on before... It's not evil, it's just annoying.

https://blog.brixit.nl/making-a-usb-ethernet-adapter-work-sr...

In my case I disabled the SPI flash module to have it not appear as a CD drive, the author of this post actually found some documentation about the SPI being optional. Funnily enough this post now also gives you all the tooling to make an actual evil RJ45 dongle by reflashing one :D

LeifCarrotson 2 hours ago

What happened to U3 at the top left in the image of the flash chip?

Looks like they had a footprint for a diode in a 3-pin SOT23 package and found they didn't have stock of the special part, so they installed a SOD323 diode at a 30 degree angle across two pins...

MartijnBraam 2 hours ago

I'm pretty sure that's exactly what happened

stavros 3 hours ago

Hm, why does shorting CS and S0 make it not work?

MartijnBraam 3 hours ago

Shorting almost any two of the communication lines of the flash chip will corrupt the communication enough that the ethernet controller thinks there's no flash installed at all.

nick__m 3 hours ago

I have no idea about S0 but CS is usually chip select. It should be sufficient to short it to prevent the chip from being selected. However CS is frequently inverted and you would have to pull it up to prevent the chip selection, so maybe S0 is always high and inhibit CS

cozzyd 3 hours ago

SO (MISO) should generally be high impedance if not selected...

I suspect this causes SO to always output the same value and the Ethernet controller must expect some magic

nick__m 3 hours ago

Thanks you for refreshing my memory, I learn about that in college twenty-something years ago but never used that knowledge!

stavros 3 hours ago

That makes sense, thank you.

bentcorner 4 hours ago

I actually really appreciate USB devices that masquerade as a storage device to provide their own drivers. I suppose in this day and age the "right" thing to do is to upload a bunch of stuff to microsoft servers so that it downloads whatever is needed upon getting plugged in, but I've observed enough stuff needing manually installed drivers to know that this isn't as apparently easy as it may appear to be. (For example, I very often need to download vendor-specific ADB drivers)

Anyways, I think it's clever for peripherals to help you bootstrap, and having the drivers baked into the device makes things a little easier instead of trying to find a canonical download source.

Suppafly 4 hours ago

>I actually really appreciate USB devices that masquerade as a storage device to provide their own drivers.

I appreciate the ones that don't need their own drivers in the first places. Sure something needs special drivers but things like usb sticks and mice should just work using the default ones and let you get the updates from the internet if you want them.

necovek 4 hours ago

I appreciate them working out-of-the-box on Linux even more. And they mostly do, with Linux being the best PnP (Plug'n'Play — remember that with Windows 95? :) OS today.

But multiple modes of operation really made it harder for to configure devices like those 4G/LTE USB dongles: they will either present as USB storage, or one type of serial device or a CDC-ACM modem device (or something of the sort), requiring a combination of the tools + vendor-specific AT commands to switch it into the right mode. Ugh, just get me back those simple devices that do the right thing OOB.

dylan604 4 hours ago

> (Plug'n'Play — remember that

I remember it as Plug-n-Pray

teaearlgraycold 1 hour ago

I only know that phrase thanks to the Computer Man song that I’ve seen on YouTube.

qwezxcrty 4 hours ago

In this specific case it makes a bit more sense, as when you need to install a RJ45 dongle is likely when you don't have a network connection.

bisrig 4 hours ago

I'm not sure what the current state of the art is, but for the longest time it was pretty common for USB peripheral ICs to have small flash devices attached to them in order to be able to store VID/PID and other USB config information, so that the device is enumerated correctly when it's plugged in and can be associated with the correct driver etc. And depending on when the device was designed, 512kB might have been the smallest size that was readily available via supply chain. It would not have been strange to use a device like that to store 10s of bytes!

The ISO thing is a little bit weird, but to be honest it's a creative way to try to evade corporate IT security policies restricting mass storage USB devices. I think optical drives use a different device class that probably evades most restrictions, so if you enumerate as a complex device that's a combo optical drive/network adapter, you might be able to install your own driver even on computers where "USB drives" have been locked out!

extraduder_ire 4 hours ago

For a time, windows would more readily run an autorun from a disc than from a usb stick. Even if that disc was in an emulated usb disk drive.

stavros 3 hours ago

That's because there was malware that spread via autorun, which is rather harder to do with read-only media, even if it's emulated.

myself248 3 hours ago

And the "u3" flash drives that did this were a hot commodity for a little while!

Then came the iODD and the IsoStick...