Kind of scary how innocent devices can be possibly malicious

[LoveLaika]

I recently stumbled upon this post about someone trying to make a pineapple disguised as a USB hub. On the one hand, it does seem like a cool little project. On the other hand, I'm mildly concerned how inconspicuous devices can turn out to be dangerous. On my third hand, I'm thinking that this is some real, dedicated James Bond stuff, but then again, I've seen Xiaomi Mini TV boxes that are about the same size so I shouldn't be too surprised. Curious what you all thought of it, and out of fun, what other devices can you think of that might be good for these types of things?

[tl01magic]

oh wow that is;

Am not at all "in the know" with this kind of computer stuff however I recall about 8 years ago ordering a "china direct" PC mouse for work,

I asked IT if it's plausible there could be malicious software installed when I plug it in....he said he'll go monitor the network and let me know when to plug it in. That confirmed to me is not far fetched...

and here years later first hearing of this "pineapple" thing, imo obviously this is comparatively (to what we think we is fine) rampant and makes sense imo.

[Doctorandus_P]

Huh?

Worried about a file hidden in a loaf of bread?

[ataradov]

This is nothing new. Attackers were known to leave USB drives around offices of interest.

The concern here is not that USB drive will autorun some malware, which could be prevented by PC settings and domain rules. The concern is that USB drive is actually a HID device (keyboard), which would launch the browser and download the malware on its own. It is much harder to prevent, since it looks like a normal keyboard and a person typing.

[golden_labels]

So far the nicest attack of the mentioned type I heard about, that happened in the wild and was missing any consent,⁽¹⁾ was hiding complete GPS trackers with batteries in 1:24 toy car models. A fake company has been created and the cars were given out as branded gifts to participants of illegal car races. The attack was discovered after a kid of one of the victims disassembled the toy. The attack was performed by people lacking any skill in electronics, using just the cheapest things bought on the internet.

This should explain to many, why some people are so concerned about running unauditable software or being forced to run any specific software at all on their computers; or having electronic devices being planted in their homes. It’s not about suspecting any particular vendor of malicious intent. But with how cheap and easy it is, and how many of such programs/devices end up in a context that should remain private, it’s not a matter of “if” but “when”. With “when” being very short in 2021.
____
⁽¹⁾ Even a consent a victim would be unaware of, because they don’t read or understand agreements.