Investigating an “evil” RJ45 dongle

Original Article ↗ Hacker News Discussion ↗

What the dongle actually does

  • Discussion agrees the investigated dongle isn’t “evil”; it’s a cheap USB–Ethernet adapter that:
    • Uses a small SPI flash to store configuration and a Windows driver.
    • Presents itself as a virtual CD-ROM to auto-install drivers, a pattern common in older 3G/4G modems and some NICs.
  • The design appears more like messy legacy engineering and cost/parts decisions than a deliberate backdoor.

Security concerns and “evil hardware”

  • Some commenters argue the design “proves” it’s backdoored because:
    • It includes writable storage, can present as USB mass storage, and could emulate HID devices (keyboard/mouse).
    • It could, in theory, be reflashed into something malicious.
  • Others counter:
    • Modern systems don’t auto-execute from new drives by default; booting or executing malware still needs extra conditions.
    • Any USB microcontroller or reprogrammable flash device shares the same theoretical risk.
    • The shipped driver is signed; while that’s not a guarantee, it’s not obviously malicious in this case.
  • There is consensus that truly malicious USB Ethernet devices do exist (e.g., pentest tools, malicious cables), just not this one.

USB Ethernet performance & architecture

  • Strong subthread on USB vs PCIe/Thunderbolt NICs:
    • PCIe-based (Thunderbolt/USB4) adapters can hit line rate with low CPU and latency.
    • Pure USB NICs often have higher CPU usage and more jitter, but modern chipsets (e.g., certain Realtek 1G/2.5G) can still reach rated speeds.
    • Protocol choice matters: CDC-NCM is more efficient than CDC-ECM.
  • Some report poor performance with older/cheap USB dongles; others report solid multi‑Gbps results with good hardware and ports.

Connectors and naming (RJ45 vs 8P8C, etc.)

  • Long tangent on correct terminology:
    • Ethernet “RJ45” jacks are technically unkeyed 8P8C modular connectors; historical RJ45 specs referred to keyed phone connectors.
    • Similar pedantry surfaces for DE9 vs DB9, and distinctions between ribbon cables vs modern FFC/FPC.
  • Several note that “RJ45 dongle” is imprecise; it’s more accurately an Ethernet-over-8P8C adapter.

Xenophobia, media literacy, and claims about China

  • Many criticize the original viral “Chinese spy dongle” framing as:
    • Technically shallow, jumping from anomalies to nation-state backdoor claims.
    • Feeding existing anti‑China sentiment and general xenophobia.
  • Others note:
    • State-level hardware attacks do exist, and absence of evidence isn’t proof of safety.
    • However, defaulting to “something’s fishy” without solid evidence is harmful.
  • Meta‑discussion: good debunking is time‑consuming; sensational claims spread faster, eroding public trust and pushing people toward either total credulity or total cynicism.

Driver delivery via emulated storage

  • Some appreciate devices bundling drivers in onboard “CD-ROM” storage, especially when network is down.
  • Others prefer standards-based NICs that work with built-in OS drivers and see multi‑mode USB gadgets (storage + serial + NIC) as painful to configure, particularly on Linux.
  • One perspective: this mechanism may have been used to bypass enterprise policies that block USB mass storage but not optical drives.

Hardware design quirks and safety

  • Commenters note:
    • The PCB supports either magnetics or simple series capacitors; some versions apparently omit isolation transformers.
    • Lack of magnetics can be dangerous where there are large ground potential differences (e.g., between building ground and incoming cable plant).
  • The SPI flash is optional and can be disabled or reprogrammed; this makes it both a flexible design choice and a potential attack surface.

Other tangents

  • Wired WiFi via coax between antennas is discussed, especially for lab test setups and congested environments.
  • Several reminisce about bad NIC designs (e.g., older Realtek parts) vs more modern, efficient chipsets.
  • Broader observation: many security issues come less from exotic nation-state hardware and more from rushed, poorly designed corporate software and drivers.