[SOLVED] "WebKey" Decyphering

fukawi2 · 2011-09-02 04:13:21

Has anyone come across these "WebKey" (warning: obnoxious video popup) devices before? Another employee received one in the mail yesterday and brought it to me.

After some investigation, it appears they emulate a keyboard HID and send a predefined set of keystrokes to the computer when plugged in. These particular ones did:

Start
Run
http://www.spamcompanywebsite.com/index.php?custid=XXXXX
<return>

Where XXXXX is a tracking ID, I'm assuming unique to that individual key, and tied to the recipient of the key in the senders records.

Besides the obvious privacy issues surrounding this, I have my concerns about the security of them... For example:

Start
Run
%CSIDL_DEFAULT_MYDOCUMENTS%
<return>
CTRL+A
Delete

While investigating the device, I plugged it into a *nix machine. The kernel recognized it as a "WebKey" and created /dev/input/by-id/usb-WebKey_WebKey-event-kbd

I found this code that is supposed to decode the raw input from a keyboard device:
http://pastebin.com/iCgY8zrA
After running it, it only displayed 70:

/tmp $ sudo ./raw /dev/input/by-id/usb-WebKey_WebKey-event-kbd
Reading From : /dev/input/by-id/usb-WebKey_WebKey-event-kbd (WebKey WebKey)
Code[70]
Code[70]
Code[70]
Code[70]
Code[70]

Which doesn't seem right.... Anyone got any other ideas how to better monitor/decode exactly what a "WebKey" is attempting to do (without just plugging it in!)

Last edited by fukawi2 (2011-09-06 00:17:17)

R00KIE · 2011-09-02 09:00:11

If that device was not requested by the employee in question or the company itself I'd say that good analysis tools would be a hammer and a flamethrower I've seen news where researchers have tweaked a usb mouse to turn it into a spying device while still working as a mouse not to raise suspicion. Also judging by the video and your findings so far I agree with your opinion that the device is question is a privacy risk and a possible security risk.

Analyzing what the device will try to do without actually plugging it in might be difficult, the impression I got from the PR video is that the device is almost paper thin so no chance of opening it up and trying to find some flash or eeprom that could be read and decoded. However the device must have been programmed after being manufactured due to the possibility of customization so it probably has some microcontroller with enough memory to implement a rudimentary usb stack and some code to perform whatever it does, if you get really lucky you may be able to find some exposed contacts use to program the device (if it had some kind of sticker applied). The problem is finding out which microcontroller is used and what each contact is for and then get really lucky that the "code protect" feature of most modern microcontrollers was not used.

On the code you point out that should read what that "key" is doing, I'd say you want to look at the input_event structure and see which data it stores and check if the returned value is what you want, mind you that my programming skills and knowledge is very small so that's the best I can think of by looking at the code.

Another option, assuming that device interacts only by emulating a keyboard and sending keypresses is to use 'showkey'. Run showkey dumping the output to a file, plug the device and let it do whatever it wants, the hard part may be translating the keypress codes into actual keys. You could probably also use a virtual machine with windows rigged with a keylogger and probably some program to monitor file and registry activity, nothing better than let it loose in the intended target OS

thisoldman · 2011-09-02 11:37:21

After Googling, the best hints I got about the internals of this type of device were from here: http://hardforum.com/showthread.php?t=1312818. Looks like the programming is contained on an EEPROM.

The above thread is about devices for Windows and Mac OSs, I presume. I haven't found anything related to the Android versions of the devices.

Photos of a dissected webkey on flickr: http://www.flickr.com/photos/cibomahto/ … 844676514/

[⁣code 70] is the ASCII 'F'?

fukawi2 · 2011-09-02 11:56:02

R00KIE wrote:

If that device was not requested by the employee in question or the company itself I'd say that good analysis tools would be a hammer and a flamethrower I've seen news where researchers have tweaked a usb mouse to turn it into a spying device while still working as a mouse not to raise suspicion. Also judging by the video and your findings so far I agree with your opinion that the device is question is a privacy risk and a possible security risk.

I've found out that unfortunately it was "requested" because they didn't tick the little box at the bottom of the registration form at an expo they went to
I agree there is a big privacy issue in that there is no warning that the key is "unique" to you or offers the marketing company a method to identify you.

R00KIE wrote:

Analyzing what the device will try to do without actually plugging it in might be difficult,

Happy to plug it in to my Linux box; it's only designed for Windows and Mac (a good thing for once ). Ubuntu appear to have patched to ignore it's "keyboard input", and it appears to be pushed back upstream since my desktop also ignored it's keystrokes.

R00KIE wrote:

Another option, assuming that device interacts only by emulating a keyboard and sending keypresses is to use 'showkey'.

That's the program I was looking for when I found that other code! I'll try that on Monday (left the keys at work )
They were nice enough to send us 2, so I could attempt to dissect one, but I have no idea what I'm looking at!

thisoldman wrote:

[⁣code 70] is the ASCII 'F'?

Nice Googling
And yes, ASCII 70 is 'F' which is what makes me think the code isn't working as I expected

R00KIE · 2011-09-02 21:26:25

fukawi2 wrote:

I've found out that unfortunately it was "requested" because they didn't tick the little box at the bottom of the registration form at an expo they went to
I agree there is a big privacy issue in that there is no warning that the key is "unique" to you or offers the marketing company a method to identify you.

At least they did bring the trojans for further inspection before actually plugging them I hope. Oh and this was the news I mentioned about the rigger mouse http://www.theregister.co.uk/2011/06/27 … se_attack/

fukawi2 wrote:

Happy to plug it in to my Linux box; it's only designed for Windows and Mac (a good thing for once ). Ubuntu appear to have patched to ignore it's "keyboard input", and it appears to be pushed back upstream since my desktop also ignored it's keystrokes.

You could always use a livecd that doesn't include the patch, not much should be needed just to run showkey, even an older arch install media with its core snapshot should do i believe, fast to install and well ... it's arch XD

fukawi2 wrote:

That's the program I was looking for when I found that other code! I'll try that on Monday (left the keys at work )
They were nice enough to send us 2, so I could attempt to dissect one, but I have no idea what I'm looking at!

I could try to help in identifying any parts that may be possible to identify if you can provide some photos, and I guess that it might spark some interest from other users that might have a bit of electronics knowledge. As a start finding out what it does when plugged in is the easiest course of action, trying to dig more info directly from the hardware can get tricky quite fast and may not be worth the time (and possibly money even if not much) spent doing it.

fukawi2 · 2011-09-04 23:04:53

Well it appears that the code in my OP was working... showkeys displays the same output:
(EDIT: '28 release' is the enter key from starting showkeys)

 ~ # showkey 
kb mode was RAW
[ if you are trying this under X, it might not work
since the X server is also reading /dev/console ]

press any key (program terminates 10s after last keypress)...
keycode  28 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  70 press
keycode  70 release
keycode  29 press
^Ccaught signal 2, cleaning up...

That Ubuntu bug is actually fairly recent, and doesn't appear to actually have been incorporated anywhere by the looks of it, so perhaps this key is doing something weird. I'm not sure how it would detect the difference between the host OS though since it's "only" a keyboard.

I'll grab some photos tonight, I don't have a decent camera at work.

Last edited by fukawi2 (2011-09-04 23:06:03)

R00KIE · 2011-09-04 23:59:26

From the dump at hardforum it might be possible that the "magic" only happens after a while, maybe only after 32 bogus key presses (32 key presses and 32 key releases). You may want to use 'showkey -a' as it might make it easier to read/parse the output.

Just a guess but probably the firmware is quite dumb and doesn't incorporate any configurable timer before doing something, it probably just does something like this:

initialize micro controller
negotiate/initialize usb
loop:
read eeprom address (sequentially, one at a time)
output/emulate keypress
wait some time
goto loop if not finished reading eeprom
play dead/hang/do nothing

It would be a really dumb dumb code if it sent bogus keypresses while waiting to do something, but hey it probably already does a good job spamming and spying on people so no reason to improve it or make it more refined

fukawi2 · 2011-09-05 09:11:11

R00KIE wrote:

You may want to use 'showkey -a' as it might make it easier to read/parse the output.

morpheus ~ # showkey -a > /tmp/webkey.txt
rrrrrr^[[1~^[[4~^?http://www.ezyflyer.com.au/index.html?customer=adma2011 ^M

And the redirected file:

morpheus ~ # cat /tmp/webkey.txt 

Press any keys - Ctrl-D will terminate this program

 	114 0162 0x72
 	114 0162 0x72
 	114 0162 0x72
 	114 0162 0x72
 	114 0162 0x72
 	114 0162 0x72
 	 27 0033 0x1b
 	 91 0133 0x5b
 	 49 0061 0x31
 	126 0176 0x7e
 	 27 0033 0x1b
 	 91 0133 0x5b
 	 52 0064 0x34
 	126 0176 0x7e
 	127 0177 0x7f
 	104 0150 0x68
 	116 0164 0x74
 	116 0164 0x74
 	112 0160 0x70
 	 58 0072 0x3a
 	 47 0057 0x2f
 	 47 0057 0x2f
 	119 0167 0x77
 	119 0167 0x77
 	119 0167 0x77
 	 46 0056 0x2e
 	101 0145 0x65
 	122 0172 0x7a
 	121 0171 0x79
 	102 0146 0x66
 	108 0154 0x6c
 	121 0171 0x79
 	101 0145 0x65
 	114 0162 0x72
 	 46 0056 0x2e
 	 99 0143 0x63
 	111 0157 0x6f
 	109 0155 0x6d
 	 46 0056 0x2e
 	 97 0141 0x61
 	117 0165 0x75
 	 47 0057 0x2f
 	105 0151 0x69
 	110 0156 0x6e
 	100 0144 0x64
 	101 0145 0x65
 	120 0170 0x78
 	 46 0056 0x2e
 	104 0150 0x68
 	116 0164 0x74
 	109 0155 0x6d
 	108 0154 0x6c
 	 63 0077 0x3f
 	 99 0143 0x63
 	117 0165 0x75
 	115 0163 0x73
 	116 0164 0x74
 	111 0157 0x6f
 	109 0155 0x6d
 	101 0145 0x65
 	114 0162 0x72
 	 61 0075 0x3d
 	 97 0141 0x61
 	100 0144 0x64
 	109 0155 0x6d
 	 97 0141 0x61
 	 50 0062 0x32
 	 48 0060 0x30
 	 49 0061 0x31
 	 49 0061 0x31
 	 32 0040 0x20
 	 13 0015 0x0d
 	  4 0004 0x04

Here's the photos http://imgur.com/a/pKTjv

R00KIE · 2011-09-05 13:20:28

From what I can make of it, it seems to be sending 6 win+r key presses then I'd say it sends two different shortcuts to launch the run dialog on macs (guessing, no clue if that's it or not), followed by backspace to clear anything that might be in the run dialog, then types the url followed by a space and then enter and another key I couldn't find, probably the equivalent of enter on the mac. I guess this relies on windows and mac ignoring some keys and doing nothing.

On the hardware side there is not much to identify, on the left there seems to be some sticky gum (can't see very well from the pic), I'd say that's what was sticking the pcb to the plastic case. Then there is the black blob of resin that covers the micro controller itself (chip on board assembly), nothing to see there, it's the cheapest way to make it and as far as I know there is no way to know what's inside. The 2 small parts besides the black resin blob seem to be 2 smd capacitors (judging by the markings), possible functions may be supply voltage filtering and to define the internal clock frequency.

On one side there are the contacts used to connect to the usb bus and on the underside the 4 contacts/pads are probably used to program the micro controller with the custom data and that's it.

fukawi2 · 2011-09-06 00:17:06

R00KIE wrote:

On the hardware side there is not much to identify, on the left there seems to be some sticky gum (can't see very well from the pic), I'd say that's what was sticking the pcb to the plastic case. Then there is the black blob of resin that covers the micro controller itself (chip on board assembly), nothing to see there,

Spot on The glob of glue appears to be to hold it firm inside it's casing so it can't rattle.

R00KIE wrote:

On one side there are the contacts used to connect to the usb bus and on the underside the 4 contacts/pads are probably used to program the micro controller with the custom data and that's it.

Someone suggested to me that it would be handy to reprogram to change your wallpaper or browser homepage etc then plug it in to peoples computer when they leave it unlocked

Thanks for all your input, I'll mark this as solved since 'sendkeys -a' is a "safe" way to test them. On a side note for future readers, I had to do that command in a VC, if I tried in X the window would loose focus when plugging in the USB.

R00KIE · 2011-09-06 21:05:26

Even better would be to reprogram it to move the mouse and/or send key presses at random times

The only thing in the way of doing that is finding out exactly which micro controller is hiding under the blob of resin.

fukawi2 · 2011-09-06 23:53:50

R00KIE wrote:

The only thing in the way of doing that is finding out exactly which micro controller is hiding under the blob of resin.

Way outside my skill-set unfortunately

R00KIE · 2011-09-07 13:15:35

As most things it is easier said than done XD ... finding out which micro controller is there requires a programmer (even if it is homemade), software that knows how to read and write to the micro controller and lots of trial and error. This is just the start, then the mandatory usb stack source and emulation of mouse/keyboard is necessary.

After finding out which micro controller is there then at least the usb stack source may be available from the manufacturer of the chip (some do provide stuff like that) but the "extra" stuff may need to be implemented .... it looks like a lot of work for little reward, not to mention that datasheets, SDKs, prototype programmer schematics (read simple homemade programmer) and example source code may be hard to find for less end user massified/well know brands of micro controllers.

fukawi2 · 2011-09-07 23:28:40

R00KIE wrote:

.... less end user massified/well know brands of micro controllers.

The space-cadet I spoke to about it at the company insisted that these things are almost ubiquitous and couldn't believe I'd never come across one before... Then proceeded to make passive-aggressive insults about my capability as an IT Tech. He was on another planet, I swear.

R00KIE · 2011-09-08 15:01:34

fukawi2 wrote:

R00KIE wrote:
.... less end user massified/well know brands of micro controllers.
The space-cadet I spoke to about it at the company insisted that these things are almost ubiquitous and couldn't believe I'd never come across one before... Then proceeded to make passive-aggressive insults about my capability as an IT Tech. He was on another planet, I swear.

I'm not really sure what to say about that .... must be have been one of those space cowboy users, or as bofh [1] would put it, lusers, that think they know it all but can't tell if they are looking at a screw or bolt. Programmable logic can be made to look like anything, as the programmable in the name implies

The hardware inside can come from any number of manufacturers and change without notice, as long as it does the same function, the end luser doesn't care or notice, even if it comes from the same manufacturer the micro controller inside can change, it can support more (or most probably less features if the thing gets really massified and making it cheaper is the priority), have less memory, less I/O ports, the physical connections and hence the hardware addresses where they can be accessed can change, even the configuration of similar peripherals (such as usb) can have subtle differences that can make you bang your head in the wall trying to figure out why things don't work. Even errata revisions of the same chip can behave differently. Programming the thing is not the same as plugging it and get spied upon

Finding documentation about the chips (datasheets, example code, SDK, compilers, schematics) for brands like atmel and microchip is easy, you can even get free samples, for other less known manufacturers (less known/used/easily available for anonymous people like you and me) you'll have a hard time finding even datasheets, let alone anything else that will make your life easier, I guess the manufacturer will provide all that if you buy in volume and sign a NDA, not the case here, specially because the objective would be to hack the thing for benevolent mischief and laughs

But then again, I'd say that chap must have had trouble with his password and caps lock before and though the problem was not his/hers, so his disconsideration for the one(s) who keep things running smoothly for him/her was to be expected.

[1] http://www.theregister.co.uk/odds/bofh/
Have fun reading all the stories if you like a bit twisted british humor

fukawi2 · 2011-09-08 23:15:23

R00KIE wrote:

I'm not really sure what to say about that .... must be have been one of those space cowboy users, or as bofh [1] would put it, lusers, that think they know it all but can't tell if they are looking at a screw or bolt. Programmable logic can be made to look like anything, as the programmable in the name implies
......
But then again, I'd say that chap must have had trouble with his password and caps lock before and though the problem was not his/hers, so his disconsideration for the one(s) who keep things running smoothly for him/her was to be expected.

The companies catch-cry to anyone querying the security of the device seems to be "there's no memory in the device so there's no security concerns" and "it says it's secure on the device" (Literally, it says "Secure USB Device" on it. Phew! I guess anything that *says* it's secure is safe then!)

R00KIE · 2011-09-09 09:27:26

fukawi2 wrote:

The companies catch-cry to anyone querying the security of the device seems to be "there's no memory in the device so there's no security concerns" and "it says it's secure on the device" (Literally, it says "Secure USB Device" on it. Phew! I guess anything that *says* it's secure is safe then!)

Yeah ... right ... very conveniently they forget that browsers have shown to have more security holes than a tight mosquito net, with the possibility of drive by downloads and remote code execution, not that those things have ever been used maliciously

Arch Linux

#1 2011-09-02 04:13:21

[SOLVED] "WebKey" Decyphering

#2 2011-09-02 09:00:11

Re: [SOLVED] "WebKey" Decyphering

#3 2011-09-02 11:37:21

Re: [SOLVED] "WebKey" Decyphering

#4 2011-09-02 11:56:02

Re: [SOLVED] "WebKey" Decyphering

#5 2011-09-02 21:26:25

Re: [SOLVED] "WebKey" Decyphering

#6 2011-09-04 23:04:53

Re: [SOLVED] "WebKey" Decyphering

#7 2011-09-04 23:59:26

Re: [SOLVED] "WebKey" Decyphering

#8 2011-09-05 09:11:11

Re: [SOLVED] "WebKey" Decyphering

#9 2011-09-05 13:20:28

Re: [SOLVED] "WebKey" Decyphering

#10 2011-09-06 00:17:06

Re: [SOLVED] "WebKey" Decyphering

#11 2011-09-06 21:05:26

Re: [SOLVED] "WebKey" Decyphering

#12 2011-09-06 23:53:50

Re: [SOLVED] "WebKey" Decyphering

#13 2011-09-07 13:15:35

Re: [SOLVED] "WebKey" Decyphering

#14 2011-09-07 23:28:40

Re: [SOLVED] "WebKey" Decyphering

#15 2011-09-08 15:01:34

Re: [SOLVED] "WebKey" Decyphering

#16 2011-09-08 23:15:23

Re: [SOLVED] "WebKey" Decyphering

#17 2011-09-09 09:27:26

Re: [SOLVED] "WebKey" Decyphering

Board footer