Investigating USB-to-Ethernet Dongles With “Malware” Claims

Recently a video surfaced from someone claiming that certain USB-to-Ethernet dongles contained ‘malware’ among other big claims. Basically these dongles were said to be designed by China (and Russia) to spy on users and so on, but how much of this is actually grounded in reality? When [lcamtuf] dove into the topic, what he found was not so much a smoking gun, but rather a curious relic from the era when drivers-on-CD were being phased out.

The item that the video went bananas about was namely an additional SPI Flash chip on the PCB alongside the USB 2.0 – Ethernet IC, with many conspiracy theories being floated as to what it would be used for. After some digging, [lcamtuf] found that the IC used in these dongles (SR9900) is by a company called CoreChips Shenzhen, with a strong suggestions that it is a clone of the (2013-era) Realtek RTL8152B.

Both chips have an external SPI Flash option, which is used with the USB side to present a ‘virtual CD drive’ to the user when the dongle is plugged in. This was borne out with the SR9900 Windows system mass production tool that [lcamtuf] obtained a copy of. Included with the flashing tool is a 168 kB ISO image (containing the SR9900 driver package) which happily fits on the 512 kB Flash chip.

Although it’s always possible for chips and firmware to contain backdoors and malware, in this particular case it would appear to be that it’s merely a cruel reminder that 2013 is now already vanishing into the real of ‘retro computing’ as us old fogies cling to our driver installation floppies and CDs.