[HN Gopher] Investigating an "Evil" RJ45 Dongle
___________________________________________________________________
Investigating an "Evil" RJ45 Dongle
Author : zdw
Score : 122 points
Date : 2025-01-17 20:41 UTC (2 hours ago)
(HTM) web link (lcamtuf.substack.com)
(TXT) w3m dump (lcamtuf.substack.com)
| ChrisArchitect wrote:
| Related:
|
| _Cheap rj45 ethernet to USB adapter contains malware_
|
| https://news.ycombinator.com/item?id=42679498
| baq wrote:
| RJ45 nazi here: these should be called 8P8C
|
| I'll show myself out
| leptons wrote:
| TIL. After maybe 25 years of using this connector, I've never
| heard it called 8P8C. I knew Ethernet has used other physical
| layers including coax, which I used to run between Amigas way
| back in the day. But, today I finally learned about 8P8C.
| SAI_Peregrinus wrote:
| RJ45 isn't even actually the same connector, at least not in
| the original FCC naming. That was an 8P8C _keyed_ modular
| connector. RJ45 connectors had only two of the positions
| connected to wires (one phone line) an internal resistor
| between two of the other positions, _and a keying bar that
| stuck out of the plug_ so they wouldn 't even go into the
| unkeyed 8P8C jacks we use for Ethernet.
|
| So I'll still call them RJ45 connectors. Because nobody has
| time to say "8P8C unkeyed modular connector" every time!
| necovek wrote:
| Weren't phone lines something like RJ11 or RJ12?
|
| FWIW, TIL about 8P8C.
| geerlingguy wrote:
| Heh I think anyone who studies for the Network+ ends up
| debating every time RJ45 is mentioned whether to make this
| comment or not haha
| polpo wrote:
| I don't mind calling the connector an RJ45, but calling this
| thing an "RJ45 dongle" makes my eye twitch. It's an Ethernet
| dongle - RJ45 can be used for a lot of other things. For
| example I've seen "RJ45 dongles" that convert USB to RS232
| serial for the console ports on a lot of networking equipment.
| dtgriscom wrote:
| https://studiohub.com/
| poisonborz wrote:
| TLDR: it is not "evil"
| walrus01 wrote:
| On the general topic of USB to 1000BASE-T (and now 2.5 GBaseT)
| dongles, for people who care about performance, it's good to know
| about the distinction between those that are USB devices and
| those that are PCI-Express devices.
|
| Basically, what do you get if you hotplug it into a laptop
| running a current linux kernel and do "sudo lsusb -v" vs "sudo
| lspci -v"?
|
| The ones that are native PCIE devices offer much better
| performance, up to 2.5 GBASET line rate, and will communicate
| with the host over the implementation of thunderbolt over USB.
|
| The ones that are USB only might work okay, but there's a reason
| they're cheap.
|
| Of course a cheaper laptop also won't have any implementation of
| thunderbolt on it, so that's something to consider as well.
| Tijdreiziger wrote:
| Could you elaborate on why the USB ones are worse?
|
| Per Wikipedia, USB 3.0 (from 2008) can reach 5 Gbit/s, so
| (naively?) one would expect them to reach 2.5 GbE line rate
| easily, right?
| ComputerGuru wrote:
| USB doesn't provide any DMA (until USB 4) and requires more
| host cpu resources to meet the same bandwidth. It also has
| less consistent performance by virtue of the USB protocol
| itself.
| mianos wrote:
| I am confused by this, I worked on a Linux USB driver that
| used DMA in 2003.
| ComputerGuru wrote:
| DMA from device to host directly rather than from host
| USB controller to host memory.
| mianos wrote:
| When I worked on it, the USB controller was just a pci
| bus device that once set up, the incoming data, from a
| USB ADC, streamed the data in blocks directly to memory.
| Maybe they took all that back out.
| d_k_f wrote:
| I've only got superficial knowledge in this regard, so please
| take it with a grain of salt, but: the way I understand it is
| that PCIE has full direct memory access, so devices connected
| through it can use zero copy and similar techniques to access
| and process data much faster, especially with lower latencies
| than over regular USB. Using USB might/will require copying
| the data to transfer/read from and to different buffers,
| between user/kernel space, etc.
| toast0 wrote:
| I'm guessing if I accidentally got a pci-e one, it wouldn't
| work in any of the USB ports I would connect it to (as, to my
| knowledge, I only have USB ports), or do they generally fall
| back to working as a USB device?
| throeurir wrote:
| So many wtf here. If anything this proves it is backdoored
| network card
|
| 1) downloading Windows exe files from Chinese forums
|
| 2) the USB storage provided by network card can still contain
| malware,
|
| 3) or can be accidentally booted from
|
| 4) it has universal USB controller, so can become any HID device:
| keyboard, mouse...
| avidiax wrote:
| It proves it might be possible to backdoor it. Maybe.
|
| I don't know of any modern systems that will execute anything
| on a newly inserted drive, nor boot from an external drive in
| the default configuration.
|
| So we are missing a couple of things. First, a vulnerability in
| the OS/system. Second, an implementation of that vulnerability
| in a device like this.
|
| Should this design be phased out? Perhaps. There is relatively
| little difference between not populating the flash memory part
| of the board and a proper network-only implementation.
| gruez wrote:
| >2) the USB storage provided by network card can still contain
| malware,
|
| That seems unlikely given that "malware" is signed by Microsoft
| Windows Hardware Compatibility Publisher.
|
| https://news.ycombinator.com/item?id=42680282
| klik99 wrote:
| "If you want to try it, be aware that it requires Intel Pentium
| 166MHz or above."
|
| Made me laugh. Fun article, also really love the genre of "bored
| smart person goes too deep on something that the end result is
| obvious by common sense but proving it requires surprising amount
| of ingenuity and scrappiness"
| er4hn wrote:
| Don't forget `I was ready to head over to the Dark Web
| (amazon.com) and purchase one of the dongles just to dump the
| contents of the memory chip.`
| fishstock25 wrote:
| Totally agree.
|
| And a great example that truth is complicated, expensive and
| uncomfortable. It's much _easier_ to postulate an evil nation-
| state entity with a bad plan (without evidence) than to dig
| through the thicket of this article. It 's much _cheaper_ as
| well, certainly in terms of time and knowhow. And it 's also
| much more _comfortable_ to claim you 're the victim and have
| uncovered a conspiracy, rather than realize this was just the
| result of the patchwork typical of engineering.
|
| Kudos to the author.
| klik99 wrote:
| Yeah, the insane takes spread faster but it takes more time
| and resources to look into it than just come to conclusions
| early.
|
| The worst thing is this creates an environment where most
| people are either completely credulous and buy into
| everything or completely incredulous and think everything is
| unfounded. It's just exhausting to have a healthy level of
| skepticism these days, and maybe 1 out of 1000 times (number
| source: from thin air) something that sounds insane actually
| has some truth to it.
| fishstock25 wrote:
| Yeah, for a substantial fraction of people, this case will
| stick to their minds as "oh the chinese .. again" It's both
| sad and scary. It was even submitted to HN. Flagged by now,
| but still. Many people won't have read this follow-up,
| especially since it doesn't come as a 1-sentence TL;DR..
| DSMan195276 wrote:
| I would also add, it's not _unreasonable_ to be wary of
| something when a tool like a virus scan pops up a warning.
| The jargon used to explain what the executable is doing is
| gibberish to any 'normal' user, there's no way for them to
| know it's listing stuff you'd more or less expect it to be
| doing.
|
| Of course, there's a bit of a jump from that to making bold
| claims about what it's doing, but the initial concern was
| understandable.
| Reason077 wrote:
| All USB-to-Ethernet adapters are pretty evil in my experience.
| Always terrible performance, often slower than WiFi.
| batrat wrote:
| Old custom software, old hardware, vendor wants all the $ for
| an upgrade, we refuse to pay. I took 10 desktop pc's($500 each)
| replaced servers ($20k each), one usb to ethernet dongle in
| every pc b/c we needed 2 network ports and we had this laying
| around, USB3 to GB, slap virtualization with USB passthrough.
| They work for 5+ years, gigabit speed, 24/7 with no problems.
|
| People should have more faith in dongles. Not all are bad.
| formerly_proven wrote:
| RTL8156B does line-rate 2.5 Gbit/s no problem, most USB-C docks
| with network have a RTL8153B in them and that does line rate as
| well. Even mildly dodgy first-generation stuff like AX88179
| generally works.
|
| I.M.H.O. these USB dongles are actually preferable to the much
| more expensive Thunderbolt dongles praised below, because a)
| they work on regular USB ports as well b) they do not require
| Thunderbolt c) they use less power and d) they don't force a
| highly ventilated cooling mode on certain host systems. And,
| fwiw, at least some Thunderbolt docks actually used USB NICs
| connected to the internal USB controller, which was hooked up
| over PCIe.
| radicality wrote:
| I don't remember the exact issues, but I remember seeing
| years ago my old Intel MacBook had noticeably higher cpu
| usage when connected to and using a Pluggable dock which had
| a Realtek Ethernet chipset. Switching to WiFi reduced cpu
| usage. AFAIK had something to do with bad and/or lack of
| hardware processing in the Realtek chipset so it had to do it
| on the cpu.
|
| Now I never trust anything with Realtek in it, and if buying
| anything with an Ethernet port, I try to make sure it's not
| Realtek. Is this still valid concern, or is Realtek better
| now?
| robocat wrote:
| USB-to-Ethernet adapters are life savers when you need to:
|
| (A) replace your WiFi adapter - download drivers from internet
|
| (B) configure a router or other equipment (hard to configure
| WiFi without WiFi).
|
| (C) stand up your Linux install on your laptop (easiest way to
| futz around until you get WiFi adapter working - but check
| chipset on adapter is compatible which the cheapest usually
| are)
|
| You don't usually care about the performance. Just keep a cheap
| one in your box of shit - I need mine often enough. If you need
| high performance, then buy a high performance adapter.
| Reason077 wrote:
| Not saying they're not useful for specific purposes. But
| anyone buying them hoping to improve performance compared to
| their WiFi, often comes away very disappointed.
|
| In my case A) and B) are irrelevant because I only really own
| or deal with laptops now days, and they invariably have built
| in WiFi, but usually not built-in Ethernet!
| FuriouslyAdrift wrote:
| Are there "evil" USB ethernet dongles? Of course there
| are...(just not this one)
|
| https://hak5.org/products/lan-turtle
| gruez wrote:
| The article admits this explicitly:
|
| >Malicious hardware has plenty of precedent: it's been used by
| intelligence agencies and private pentesters alike. Heck, a bit
| over a decade ago, I built an evil plasma globe for work.
| Still, we weren't here to debate whether a malicious RJ45-to-
| USB adapter could be made. The important question was whether
| in this particular instance -- as the poster put it -- "the
| Chinese were at it again".
| speed_spread wrote:
| Not to mention the evil ethernet patch cable:
|
| https://imgur.com/Gpgj7w7
| bisrig wrote:
| I'm not sure what the current state of the art is, but for the
| longest time it was pretty common for USB peripheral ICs to have
| small flash devices attached to them in order to be able to store
| VID/PID and other USB config information, so that the device is
| enumerated correctly when it's plugged in and can be associated
| with the correct driver etc. And depending on when the device was
| designed, 512kB might have been the smallest size that was
| readily available via supply chain. It would not have been
| strange to use a device like that to store 10s of bytes!
|
| The ISO thing is a little bit weird, but to be honest it's a
| creative way to try to evade corporate IT security policies
| restricting mass storage USB devices. I think optical drives use
| a different device class that probably evades most restrictions,
| so if you enumerate as a complex device that's a combo optical
| drive/network adapter, you might be able to install your own
| driver even on computers where "USB drives" have been locked out!
| extraduder_ire wrote:
| For a time, windows would more readily run an autorun from a
| disc than from a usb stick. Even if that disc was in an
| emulated usb disk drive.
| myself248 wrote:
| And the "u3" flash drives that did this were a hot commodity
| for a little while!
|
| Then came the iODD and the IsoStick...
| stavros wrote:
| That's because there was malware that spread via autorun,
| which is rather harder to do with read-only media, even if
| it's emulated.
| bentcorner wrote:
| I actually really appreciate USB devices that masquerade as a
| storage device to provide their own drivers. I suppose in this
| day and age the "right" thing to do is to upload a bunch of stuff
| to microsoft servers so that it downloads whatever is needed upon
| getting plugged in, but I've observed enough stuff needing
| manually installed drivers to know that this isn't as apparently
| easy as it may appear to be. (For example, I very often need to
| download vendor-specific ADB drivers)
|
| Anyways, I think it's clever for peripherals to help you
| bootstrap, and having the drivers baked into the device makes
| things a little easier instead of trying to find a canonical
| download source.
| necovek wrote:
| I appreciate them working out-of-the-box on Linux even more.
| And they mostly do, with Linux being the best PnP (Plug'n'Play
| -- remember that with Windows 95? :) OS today.
|
| But multiple modes of operation really made it harder for to
| configure devices like those 4G/LTE USB dongles: they will
| either present as USB storage, or one type of serial device or
| a CDC-ACM modem device (or something of the sort), requiring a
| combination of the tools + vendor-specific AT commands to
| switch it into the right mode. Ugh, just get me back those
| simple devices that do the right thing OOB.
| dylan604 wrote:
| > (Plug'n'Play -- remember that
|
| I remember it as Plug-n-Pray
| qwezxcrty wrote:
| In this specific case it makes a bit more sense, as when you
| need to install a RJ45 dongle is likely when you don't have a
| network connection.
| Suppafly wrote:
| >I actually really appreciate USB devices that masquerade as a
| storage device to provide their own drivers.
|
| I appreciate the ones that don't need their own drivers in the
| first places. Sure something needs special drivers but things
| like usb sticks and mice should just work using the default
| ones and let you get the updates from the internet if you want
| them.
| niklasbuschmann wrote:
| @lcamtuf: It's Igor Pavlov, not Ivan Pavlov
| MartijnBraam wrote:
| I came across the tweet about this "Evil" dongle and instantly
| recognized it as the exact same thing I worked on before... It's
| not evil, it's just annoying.
|
| https://blog.brixit.nl/making-a-usb-ethernet-adapter-work-sr...
|
| In my case I disabled the SPI flash module to have it not appear
| as a CD drive, the author of this post actually found some
| documentation about the SPI being optional. Funnily enough this
| post now also gives you all the tooling to make an actual evil
| RJ45 dongle by reflashing one :D
| stavros wrote:
| Hm, why does shorting CS and S0 make it not work?
| dlcarrier wrote:
| A harmful connection to the Ethernet port would be extremely
| difficult. A harmful connection to a USB port is extremely easy.
| Call it what it is: an "Evil" USB dongle that happens to also
| have an Ethernet socket.
___________________________________________________________________
(page generated 2025-01-17 23:00 UTC)