At the Singapore summit between President Trump and North Korea’s Kim Jong-un this week, a company connected to the local government provided journalists with gift bags containing a tourism guidebook, a water bottle, a trial newspaper subscription to the Straits Times, and a fan that can be plugged into a USB port.
After journalists posted pictures of the bags’ contents, a number of cybersecurity experts sent tweets urging them not to plug in the fans, noting that the devices could be designed to surreptitiously download malicious software onto a victim’s computer.
Alan Woodward, a computer science professor at the University of Surrey, told the BBC, “There’s an adage in cyber-security: if you give someone physical access to your computer, it’s no longer your computer. Use an unknown USB stick and you are doing just that.”
As the Huffington Post points out, the Russian spies planted USB drives containing malware in kiosks surrounding the NATO headquarters in Kabul in 2008. A U.S. military official ended up purchasing one of the devices and plugged it into a secure computer. Russia reportedly employed the same ruse again during a G-20 summit near St. Petersburg in 2013, supplying foreign delegates with complimentary USB pen drives that were equipped to download information from a target’s computer.
It is rather warm in Singapore at this time of the year, with temperatures hovering around 90 degrees. There’s no proof that the USB fans are intended to do anything but provide a much-needed breeze. But, just to be safe, attendees should probably fan themselves with the guidebook instead.