I don't think you can determine much, without looking into the actual device somehow, and being also knowledgeable to make sense of what you see.
Even with trusted brands, a malicious actor can attack the vendor. For example, one could order devices, tamper with them, and then send them back via returns. The vendor likely tests it a bit, and then repackages it and sells it as refurbished, or maybe even as a new one.
The fun thing is that the same is true with software. Looking at a source code is hard enough, even for experienced programmers, and then how do you verify a piece of software that you don't even have the source code to? And if you have the code, how do you verify that the software is made out of that code?
People basically just operate on trust, you can't verify much of the stuff. Just try to stick to entities with reputation, and hope for the best.
you have to trust him, as the author of emacs and gcc, if you use them. admittedly, they are foss software, but have you (or anyone) ever trawled thru either for loopholes? i know i haven't.
rms seemed as every bit the fanatic and extremist, but I knew, even entering college in 1989, that software (and hardware) freedom was endangered, and needed us to take extraordinary steps to preserve and expand it.
I deeply appreciate his work as the founder of the free software movement. Digital goods can be replicated for no cost, and this, combined with the spirit of free software really made for something special.
Yes, I do think that way, but of course it doesn't mean that I don't participate. I just consider it when it comes to choosing these things into my life.
I don't even think that most people need to think about this. It's enough that a few security minded people do, and that they end up pushing for good regulation. Similarly to food safety, we then end up in a system where you can go to most places and expect to not get food poisoning.
The US government rerouted CISCO routers to a factory that tampered with them before sending them to their final destinations. There's no reason to believe this stopped or isn't still being done in similar ways. It doesn't have to be a USB-C dock, it could be anything.
We don’t talk about the Snowden leaks enough. It’s truly shocking what was in there and we’ve all uttered a collective “meh”. I don’t know what SHOULD be done, or could be done, but it’s odd how rarely that data is incorporated into popular perception of the government and how much rarer still it is that we discuss it and contemplate what has been taking place in the intervening years.
These are targeted attacks by a nation state. That's not my threat model. I'm just trying to be reasonably secure against ordering a name brand device and having it exfil secrets.
Imho, there's a big difference between supply chain attacks on core Cisco routers vs USB hubs.
These attacks are not easy or cheap, and by their very nature need to be deployed in small % of total installs (as every use increases the likelihood of discovery).
Criminal organizations interested in ransoming details might be interested in casting a wide net, but intelligence services less so.
I can't quite wrap my head around this. Apparently they advertised a consumer device with remote access over the WWW as "No Clouds"? And the advertisement actually worked, as in, many "privacy-minded security camera buyers" believed that obvious bullshit?
"No clouds" is supposed to imply "this device isn't dependent upon a cloud-hosted service of some kind". i.e. data is either stored locally or sent to another device configured by the owner, and any remote access is direct over the internet instead of being mediated by a service like a lot of IoT devices use. It's not supposed to imply "no internet".
It's a solid niche IMO. I don't like buying devices that will effectively stop working if the manufacturer goes out of business or shuts down the services they're dependent upon. OTOH, there's generally a lot more effort required by the end user to get it working, so I completely understand why most manufacturers go with a service-mediated design.
Yep. I have a few of them, that I bought specifically because I fell for it. In fairness, they can be configured that way (as an RTSP streaming host that you can directly connect a client to to watch), but the rest of the cloud bullshit stays on unless you firewall it off manually.
It's hard to have any realistic basis for trust, absent maybe independent review. Even then companies have been known to significantly adjust components for the same SKU after the review cycle ends.
For Anker in particular, sadly there may be a reason _not_ to trust them. See the recent Anker-owned Eufy cloud camera scandel
Supply chain management is a whole area of study. iPhones and ChromeOS are the only two devices I trust in the retail supply chain to be too difficult to be casually pwned but still boot. But even then, the evil maid attack doesn't have to fully subvert the booted OS to be useful. A device inside an up to date ChromeOS laptop could just record the keyboard keystrokes to an SD card to be retrieved later, which would get the evil maid your passwords. That's why you've got MFA but it's scary to think about!
These are normally used for targeted attacks. Unless someone is specifically after you such a device is usually safe.
Sometimes the USB ID can be used to figure out the vendor but that could also be fake.
You could determine something is odd by looking at what device comes up when it is connected. Does it come with drivers? A new network interface etc.
Or by comparing the inside/firmware of a known good one with the model you have.
lsusb will tell you what it is pretending to be on a real os. Everyone else is hosed & hopeless.
Even still, it could be intercepting & mitm'ing your devices. There are some potential advanced games here. But without also having a network device to exfiltrate out on, it seems pointless. As soon as you have USB networking the risk skyrockets though.
That assumes it is constantly advertising itself. If it say reconfigured itself every hour for a couple seconds the odds of seeing in on any given lsusb are quite low.
> How could anyone determine if it contains a keylogger, or an HDMI screen grabber, or a network sniffer, or a reverse shell, or a rootkit installer?
I like to think people that know their trade (electronics, etc) can figure this out; the absence of proof of there being things like keyloggers in these docks is enough for me. Same with the distrust of ZTE devices, has there been any conclusive evidence that there actually IS espionage or remote controls in there, or is it fearmongering to protect the US / western market?
They indeed add invisible hardware. Many smartphones have radio chip. It's hard to find a household appliance or consumer electronics without some bluetooth chip. Can I listen to radio or connect external speaker to them? hell no...
Are there good reasons to believe they're safe, that the brands are trustworthy?
Are there good reasons to believe that the brand name that's printed on the case means it's actually made by that company?
How could anyone determine if it contains a keylogger, or an HDMI screen grabber, or a network sniffer, or a reverse shell, or a rootkit installer?