Dangerous new trend in USB key marketing from companies

[Brumby]

A f*&*k!ng keystroke injector simply to launch a browser to their website!     

Dodgy as hell.  (And you have no idea how polite that statement is in relation to the feelings I'm having right now)

If I had come across it, I'd have stormed up to the local corporate office breathing fire!

Message to ALL marketing and corporate types thinking of doing this:
DON'T !!!!

[edy]

While I see how they might have thought it would be cool 10 years ago (even then it should have been better thought out), to see this garbage continuing today in marketing materials deployed by a major corporation deserves them a kick in their shiny Colgate-brushed teeth and a giant facepalm. 

Here is the WHOIS info on srt.red that is the URL forwarding to colgateprofessional.com:

WHOIS Srt.red

Domain Name: SRT.RED
Registry Domain ID: D503300000185503755-LRMS
Registrar WHOIS Server:
Registrar URL: https://www.gandi.net/whois
Updated Date: 2018-10-03T00:21:28Z
Creation Date: 2018-10-03T00:10:39Z
Registry Expiry Date: 2019-10-03T00:10:39Z
Registrar Registration Expiration Date:
Registrar: Gandi SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registrant Organization:
Registrant State/Province: NY
Registrant Country: US
Name Server: NS-297.AWSDNS-37.COM
Name Server: NS-1689.AWSDNS-19.CO.UK
Name Server: NS-1089.AWSDNS-08.ORG
Name Server: NS-858.AWSDNS-43.NET
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form is https://www.icann.org/wicf/

The Registrar of Record identified in this output may have an RDDS service that can be queried for additional information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.


So what I gather is someone in Colgate marketing or the people who printed and made these cards are providing some forwarding service through srt.red which recognizes certain keywords and forwards to the appropriate site. For example, I was able to see CAEnglish on my key. However, USEnglish also works. CAFrench also gets forwarded to a Colgate site but says page not found. USSpanish gives error (some bit.ly page). Why not have just put website directly on webkey? Why create what seems to be a 3rd party forwarding intermediary (except to track and log stats or change the site in case something goes terribly wrong)? How is Gandi and Bitly involved in all of this? Why is registrant organization blank?

[tsman]

Why not have just put website directly on webkey?

So you can still change where the webkey sends people to even after giving them out.

How is Gandi and Bitly involved in all of this?

Domain was registered using Gandi. Bitly is who actually runs their URL shortening service on it. No idea who actually owns srt.red. It isn't Gandi or Bitly. Might be Colgate or a marketing company they're using.

Why is registrant organization blank?

Because Gandi's domain privacy service leaves that field empty. My personal domain is registered via Gandi and it doesn't show anything in that field either. GDPR has meant most registrars now give you the domain privacy service for free now.

[edy]

Ok, back to work! I tried a few things with the Webkey on my Linux machine and here's the output from lsusb after inserted, and then removed:

Code: [Select]

edy@edy-ASUS:~$ lsusb
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 13d3:5165 IMC Networks
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 038: ID 05ac:6662 Apple, Inc.
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

... and after device removed...

Code: [Select]

edy@edy-ASUS:~$ lsusb
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 13d3:5165 IMC Networks
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Notice the difference is: Bus 003 Device 038: ID 05ac:6662 Apple, Inc.

Ok, so I also dumped the output of dmesg to a file and found this (some non-standard characters, not sure if it will show up in the forum properly):

Code: [Select]

[14749.993937] usb 3-2: new full-speed USB device number 24 using xhci_hcd
[14750.121599] usb 3-2: New USB device found, idVendor=05ac, idProduct=6662
[14750.121603] usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[14750.121605] usb 3-2: Product: WEBKEY
[14750.121607] usb 3-2: Manufacturer: ŵࠅę̩ʑ֕
[14750.125795] input: ŵࠅę̩ʑ֕ WEBKEY as /devices/pci0000:00/0000:00:14.0/usb3/3-2/3-2:1.0/0003:05AC:6662.0017/input/input52
[14750.177815] hid-generic 0003:05AC:6662.0017: input,hidraw0: USB HID v1.10 Keyboard [ŵࠅę̩ʑ֕ WEBKEY] on usb-0000:00:14.0-2/input0
[14750.921158] usb 3-2: USB disconnect, device number 24
I've attached the dmesg output since the plugging in of the Webkey (see attachment "webkey.txt"), showing how it is inactivating, then activating repeatedly (I am not taking it in and out), thereby causing new instances of the Google Browser to continuously pop up yet IMPROPERLY passing the URL, so it is just opening blank windows that go nowhere! There are some what I assume to be Universal Firewall Block messages in there [UFW Block] showing also some activity going on... Not sure if it is due to the Webkey trying to do something.

So if you look at that manufacturer, I assume that is Chinese characters improperly being displayed??? Can anyone figure out who this company is based on the vendor or product ID? Why is it showing up as an "APPLE" device when I use lsusb?

Finally, one more interesting bit of random sh!t that happened while I was playing around with the Webkey. I had my terminal window open and tried to type something while I inserted the webkey and all of a sudden I got this long string of numbers appearing in my terminal prompt:

Code: [Select]

104116116112115058047047115114116046114101100047067065069110103108105115104
This seems weird but now I understand what may have been going on.... It seems that under Windows, when you press "ALT" key and type numbers on the num-pad, you can type in the ASCII-CODE equivalent of the characters. Probably the Webkey is finding a way to launch a browser (not sure how yet) and then holds down the "Alt" key while it sends that string of digits, which translates to:

104 = h
116 = t
116 = t
112 = p
115 = s
058 = :
047 = /
047 = /
115 = s
114 = r
116 = t
046 = .
114 = r
101 = e
100 = d
047 = /
067 = C
065 = A
069 = E
110 = n
103 = g
108 = l
105 = i
115 = s
104 = h

Yes! It's....  https://srt.red/CAEnglish

But it seems to be doing this by sending a string of numbers? And since Linux doesn't recognize the "Alt-" number combination like Windows does, we see just the string of numbers and not their ASCII-code equivalents (which would presumably appear if the "Alt" key was being pressed at the same time). Not sure what would happen on a Mac, but I am assuming the MCU in the Webkey would probably do some rudimentary check of the system and figure out what it was plugged into.

Anyone else have any ideas? So they are FAKING an Apple Keyboard device too?

[Wan Huang Luo]

Not sure what would happen on a Mac, but I am assuming the MCU in the Webkey would probably do some rudimentary check of the system and figure out what it was plugged into.

Anyone else have any ideas? So they are FAKING an Apple Keyboard device too?

It looks like they have their bases covered on most all other platforms. I think its perfectly logical to conclude that they are faking an Apple keyboard device.
Apple (I'm assuming) takes these things seriously and doesn't have a sense of humor.
Wonder if reporting this to Apple Security would result in a cease & desist letter to Colgate?

[tooki]

It is extremely unusual to have more than one keyboard attached to a computer, so IMHO the USB drivers should realise that you already have a keyboard and prompt whether to enable them when subsequent ones appear.

Except that it’s not that rare. Most laptops now use internal USB keyboards, so plugging in an external one means... two keyboards. USB barcode scanners also appear as USB keyboards. So do some other random input devices.

[tooki]

Not sure what would happen on a Mac, but I am assuming the MCU in the Webkey would probably do some rudimentary check of the system and figure out what it was plugged into.

Anyone else have any ideas? So they are FAKING an Apple Keyboard device too?

It looks like they have their bases covered on most all other platforms. I think its perfectly logical to conclude that they are faking an Apple keyboard device.
Apple (I'm assuming) takes these things seriously and doesn't have a sense of humor.
Wonder if reporting this to Apple Security would result in a cease & desist letter to Colgate?

I doubt they can do an OS check. As for it being the Apple vendor ID, it literally just means they used one of Apple’s vendor ID hex codes.

[free_electron]

Simple HDI keyboard emulator.
going through an intermediate portal allows Colgate to change their website at will. if they relocate the page they update the intermediate portal and things keep working.

nothing malicious. actually very clever.

[Wan Huang Luo]

Not sure what would happen on a Mac, but I am assuming the MCU in the Webkey would probably do some rudimentary check of the system and figure out what it was plugged into.

Anyone else have any ideas? So they are FAKING an Apple Keyboard device too?

It looks like they have their bases covered on most all other platforms. I think its perfectly logical to conclude that they are faking an Apple keyboard device.
Apple (I'm assuming) takes these things seriously and doesn't have a sense of humor.
Wonder if reporting this to Apple Security would result in a cease & desist letter to Colgate?

I doubt they can do an OS check. As for it being the Apple vendor ID, it literally just means they used one of Apple’s vendor ID hex codes.

You're right.

Apparently there was an American Express credit card-shaped device that did the exact same thing.
Using the keyboard HID to inject text apparently has been used by marketers for some time.
So my previous post is moot; Apple already tolerates this behavior.

Further reading:
https://superuser.com/questions/131897/can-i-reprogram-an-american-express-usb-drive

Interesting note from one of the posts is that it is possible to reprogram the device to do anything you want. That's where it becomes scary.

[edy]

nothing malicious. actually very clever.

Yes probably true (as to the nothing malicious part)... But clever? To distribute a Webkey with a fake Apple vendor ID simply to launch a website (bit.ly shortened URL) is bad practice, not to mention it doesn't work on all systems and can cause strange behaviour (like on my Linux system). It also has a much greater potential to backfire on them (due to the security concerns) than whatever possible benefit they could gain. It is not clever at all.

Not that a Colgate-Branded USB storage key would be any better security-wise (it could be just as easily abused) but at least it would give people something they could use to transfer files around. Put 16gb or 32gb on there, make it look like a toothbrush or toothpaste (or whatever they want) and give that out.

It would at least be something I would keep around, remind me of the brand. No... instead all I have is this stupid "card" with a flip-out USB-chip part that registers as a keyboard and types 25 characters into my computer when I plug it in, without my knowledge, potentially f*&cking up my system. Thanks Colgate!

[edy]

Hi, I've taken it apart and photographed the board. There is an unpopulated spot for an 8-pin chip U1 and everything else seems to be potted/glob topped. They didn't even include R1 or C2-C4.... Wow this thing was built down to a price! Mine is similar to a guy who posted on this blog link that his Hyundai-branded one also was missing the EEPROM on top: https://hackaday.com/2012/10/02/disassembling-and-reprogramming-webkeys/

[Kleinstein]

......
Very very annoying and stupid practice of making these keystrokers! Must be ultra-cheap but to save a few seconds of a user typing a shortcut URL? REALLY? And did they send French people the http://srt.red/CAFrench key! Or what about http://srt.red/USEnglish ?

Must be really cheap stuff, as it has to compete with an QR code printed on paper. I would prefer the paper version.

Is it possible to reprogram such an device ? If yes, the original one may be not as bad as a manipulated one.

[Whales]

It is extremely unusual to have more than one keyboard attached to a computer, so IMHO the USB drivers should realise that you already have a keyboard and prompt whether to enable them when subsequent ones appear.

Yes and no.  It gets more complicated, USB does not have this scenario/problem in mind holistically.

On boot: which device should be chosen as the correct one?  You can't wait until the OS boots up and remembers (from past history), before then the keyboard will have BIOS and bootloader access.

On hub reset: make sure you enforce the same rules.  In bad situations this might look like all the keyboards were "unplugged" and then "replugged" in, rather than a proper hub reset/failure.  Could be exploited by electronics that accidentally resets the hub occasionally.

going through an intermediate portal allows Colgate to change their website at will. if they relocate the page they update the intermediate portal and things keep working.

nothing malicious. actually very clever.

The could do this on their own site, rather than relying on a 3rd party.  This would avoid scenarios such as the 3rd party going down or malicious; which would mean branded materials (eg Colgate USB key) start taking you to the wrong places.

Most companies probably don't consider, know or understand the risks in this particular scenarios.  It's just one small feature of an advertising agreement/contract/whatever with an external party.

[fsr]

It probably uses ALT-ASCII typing to avoid problems with different keyboard regional settings, as the keyboard can only send the key scancode, and not the character directly. I suppose Alt and the numeric keys are always the same scancode, no matter the keyboard layout and regional settings.

[ataradov]

And it also makes it Windows-only. At least on Linux Alt-Numpad thing does not work.

[amyk]

Yes and no.  It gets more complicated, USB does not have this scenario/problem in mind holistically.

On boot: which device should be chosen as the correct one?  You can't wait until the OS boots up and remembers (from past history), before then the keyboard will have BIOS and bootloader access.

If the BIOS is already big enough to contain a USB stack (or enough of one to recognise and work with keyboards in any case) it could similarly remember the ID of the correct one in NVRAM.

On hub reset: make sure you enforce the same rules.  In bad situations this might look like all the keyboards were "unplugged" and then "replugged" in, rather than a proper hub reset/failure.  Could be exploited by electronics that accidentally resets the hub occasionally.

Not really a difficult problem to solve. Re-enumeration simply picks the last known good device and any additional ones cause prompting.

Except that it’s not that rare. Most laptops now use internal USB keyboards, so plugging in an external one means... two keyboards. USB barcode scanners also appear as USB keyboards. So do some other random input devices.

Once again it's a matter of giving "consent" to unknown input devices --- the ones you've allowed will automatically be enabled, others won't. Before USB you had to explicitly "allow" by installing the driver for the device (unless it was a standard one like a PS/2 keyboard/mouse.) With USB, devices can be automatically detected and allowed, and what I'm saying is that this automatic/implicit always-allow behaviour is what should be changed.

[tooki]

And it also makes it Windows-only. At least on Linux Alt-Numpad thing does not work.

As far as I know, the Alt+numpad thing is Windows-only. It doesn’t work on Mac, either. (Oh, the irony, when using an Apple vendor ID!) Compared to Windows, the Mac has always had much, much smarter/obvious key combinations for special characters — it helps to have an extra modifier key! (I have no idea how Linux does it.)

[bd139]

Hahahaha this is hilarious and a really nasty marketing idea to think that it is acceptable.

Google “USB rubber ducky”. I own a couple for penetration testing purposes. They are extremely effective. You can own a whole network in under a second with one and physical access.

Edit: save Googling: https://shop.hak5.org/products/usb-rubber-ducky-deluxe

Random USB stick is like using an anonymous glory hole. Don’t ever even go there.

[BradC]

Random USB stick is like using an anonymous glory hole.

Not having heard that term before, I googled it. Sights I can't un-see.

[tszaboo]

Yes, USB device can be really damaging, if it is used in conjunction with other technologies. Imagine a composite device, with keyboard and a flash drive. Keyboard types
Start + R
cmd
cd /
dir /s > d:/filelist.txt (and tries it with all other drives)
Basically they just copied the list of all files to the drive, with a microcontroller or even a small CPU on it, and it doesn't even need network access. The "flash drive" could even have other built in radio interfaces, Ethernet over USB, or an SoC smart enough to try multiple ways of attack. Or connect to the neighbour's unsecured wifi, and send the data that way.

[RoGeorge]

That is why one MUST never plug unknown USB devices, even if the USB port is disabled (there are even idiots that thought making an USB stick to discharge a few kV on the data lines in order to destroy the host device might be a fun prank).

I never understood why the OS blindly trust the USB devices.  The OS asks me for admin rights to install updates from the official repositories, yet it blindly trust an unknown USB device. 
Why the OS does not ask for the admin password at the first detection of a new device, before enumerating and/or installing the new USB device? 

[dmills]

Firewire was more fun because the external device could get the firewire controller to do arbitrary DMA on its behalf! Enumerating as something where the OS had a built in driver (Hard drive or video camera were good contenders) and then issuing DMA transfers to grab the contents of userspace ram was a good game for a while.

I suppose something similar might be possible with thunderbolt (Anyone know for sure), and of course exposed PCI-E is fair game this way.

IOAPICs reduce the fun of course, but device drivers for external busses are not always as paranoid as they should be, and you can enumerate as anything so it only takes finding one broken one....

As ever, with physical access it is game over.

Regards, Dan.

[tooki]

That is why one MUST never plug unknown USB devices, even if the USB port is disabled (there are even idiots that thought making an USB stick to discharge a few kV on the data lines in order to destroy the host device might be a fun prank).

I never understood why the OS blindly trust the USB devices.  The OS asks me for admin rights to install updates from the official repositories, yet it blindly trust an unknown USB device. 
Why the OS does not ask for the admin password at the first detection of a new device, before enumerating and/or installing the new USB device?

So... how would you authorize a new keyboard when your old one fails?

Another issue is that some OSes, like Windows, appear to configure the drivers, etc for a given USB device not per-device, but per-port, in that if you unplug a configured USB device from one port and then plug it into another port on the same machine (even another port on a hub!) it must re-configure the drivers again. So on Windows at least, this would likely mean needing to authorize a device again just because you plugged it into a different port.

Moreover, how do you positively identify a device? Does each get a serial number? You could spoof that just as easily as the vendor ID and device ID (as these things already do, pretending to be an Apple Pro Keyboard). Ok, so use encryption keys and digital signatures... well, and then we’d have handshaking failures like we sometimes see on HDMI.

Ultimately, as dmills said, once you have access to the hardware, all bets are off. There will always be a need for “dumb” low-ish level hardware access.

[Kleinstein]

....
So... how would you authorize a new keyboard when your old one fails?

That one is relatively easy: just ask for the password before anything else can be done with the KB. Even it this is a simple password that is noted on a sticker on the PC, this would help a lot.

So I see no real hurdle for the OS to not blindly trust hardware added to the USB port. With drivers linked to ports one could also limit the keyboard to a specific USB port.

[Mr. Scram]

Simple HDI keyboard emulator.
going through an intermediate portal allows Colgate to change their website at will. if they relocate the page they update the intermediate portal and things keep working.

nothing malicious. actually very clever.

A tool to direct a computer system to any undisclosed website at will and without warning? That sounds totally harmless!