It seems harmless enough, plugging in a free USB-powered fan on a hot day.

But when it surfaced on Twitter Tuesday that the item was included in a press pack handed out during the US-North Korea summit, it immediately drew concerns from some cyber experts about the potential for hidden malware.

Loading

One of those experts included author and journalist Barton Gellman who advised journalists to "drop it in a public trash can" after spotting Dutch journalist Harald Doornbos's picture of the device on Twitter.

Loading

So could they actually contain malware?

The likelihood is very high, the director of University of NSW Canberra Cyber Nigel Phair says.

"People trying to infiltrate computer networks often use hidden software on thumb drives where they are given out at a conference or contain promotional material, whatever it might be," he said.

"People studiously go back to their work environment, plug it into their machine and it's the greatest way to bypass a whole lot of security controls."



According to Oliver Knox, chief Washington correspondent for broadcaster SiriusXM, at one summit, "White House aides raced into the filing centre to tell reporters not to use them".

Loading

OK they bypass your security. Then what?

Loading

There's a couple of things that can happen from there, but Mr Phair says it all depends on what kind of malware it is.

"It might be to download a key-stroke logger onto your device," he said.

"For example the people that go there, to these types of conferences … they have privileged access to computer systems, they have access to documents that are sensitive, something that would be very valuable to an attacker."

Should we be wary of all 'free' USBs or USB-powered devices?

Pretty much. Mr Phair says if you don't where it has come from or if you haven't opened it up directly from a packet, then you should be wary of what might be in it.

"This has been a high-risk issue for quite some time," he said.

As Mr Gellman pointed out in a follow-up to his tweet, the warning about USBs has become "standard security advice".

"I have no reason to think the Singapore government is responsible for every handout, and as I said I don't know what's on those devices. This is standard security advice. No knock on anyone," he tweeted.

How do you check if there's malware on the device?

Mr Phair says the best thing to do if you're unsure is to run it through a commercial virus checker or scanner.

"This will check if there is any known-grade vulnerabilities on it, otherwise it could also have malicious software that has not yet been detected by a virus scanner so you're not going to know regardless," he said.