What do you get when you put very technically proficient people in charge of building customer loyalty? In this case, you get the perfect marketing tool—an undetectable, AV- and platform-apathetic method of programmatically interacting with the host OS.
Fortunately, Hyundai is using its technical prowess only for good. Put this technology in a malicious hacker's hands, and you have a rather innovative way to create some chaos.
This article starts with an innocent looking package that arrived in the mail. Included in the package was a small key-like device that was designed to fit into the USB slot of any modern desktop/laptop (see Figure 1). This could be a Mac, a Windows-based PC, or even a Linux box.
Once inserted, the USB device would cause the computer to launch an Internet browser that would automagically go to http://www.welcomemyhyundai.com.
)
Figure 1 Hyundai key
World Views
Let's look at this from two angles: the marketing perspective and the security perspective.
Marketing
First, from a marketing point of view, this device is a perfect solution to provide an enhanced method of driving traffic to your product line. It is unique, technologically sexy, AV- and OS-apathetic, and cheap to develop and mass produce.
Imagine the marketing potential. In this case, Hyundai used the device to open a website meant to drive consumer loyalty. Other potentials could include opening a PDF file, downloading an image or document, displaying a popup or banner ad, a web-based "phone home" that the device was used, and so on.
If we take this one step farther, the device could also be used as a unique identifier or login device. For example, imagine being able to hand out a USB device that would automatically log a user into a website or desktop application using an automated process that embeds a unique identifier directly into the URL (i.e., https://www.site.com?uid=12345)—and not have to worry about an AV product, a policy–based disabled autorun or an anti-USB policy getting in the way. This is a marketer's dream!
Security
Now, let's see a second perspective to the way this type of device can be used: the "paranoid" security world view. Imagine a device that can cause the host computer to visit a website, launch an application, run any number of commands via the command prompt or establish a remote shell—all without AV software interfering or an anti-USB policy getting in the way.
Simply plug the device into a USB port, or socially engineer someone to do it for you, and the goal is accomplished.
If we put on our malicious hacker hats for a moment, let's consider the potential for harm:
- Direct a web browser to a malicious website that contains code that installs a backdoor.
- Create an administrator account on the device.
- Download and execute a reverse-shell program.
- Delete, upload, update, or create files.
- Obtain local sensitive data and upload it to a remote attacker.
- Update local domain name server settings to redirect all Internet traffic to a remote attacker.
The true potential of this attack vector is unlimited and is up to the imagination and creativity of the attacker.
The Technology
At first glance, the Hyundai key looks like a standard USB drive. While it has the common form factor that many other vendors use to promote their product, the device is not used for data storage.
Instead, Hyundai has recruited the talents of Tenx Technologies Inc. to create a USB keyboard emulator that is automatically detected as a USB-based keyboard by the host operating systems. Once the OS recognizes the device as a keyboard and configures the port to receive "keystrokes," the chip on the USB key complies and sends a predefined set of keyboard strokes to the awaiting computer. Figure 2 shows us how OSX's USB Prober sees the device.
)
Figure 2 USB Prober
The end result is that the computer opens an Internet browser and retrieves the Hyundai website content.
Based on testing, the USB key has the capability to detect which operating system the host system is running (Windows/OSX) and can alter the keystroke combination accordingly.
The following details the keys entered on each of the OS:
Windows:
Windows Key
Run dialog box (r)
CAP LOCK
http://www.welcomemyhyundai.com
CAP LOCK
Enter
OSX:
Apple menu
Down – Down (Selects software update item)
Enter (this opens the default browser to http://www.apple.com/downloads)
Cmd – l (places cursor in the address bar)
http://www.welcomemyhyundai.com
Enter
Figure 3 provides a shot of the key in its disassembled state. Note that the chip is coated with epoxy to prevent tampering/reverse-engineering.
)
Figure 3 Hyundai key disassembled
A Weaponized Key
If all this sounds like another one of those paranoid security theories, this type of technology has already been proven to be of interest to security researchers. In fact, the concept has been put into a point-click application that allows a person to package any number of payloads into a similar device from http://www.prjc.com.
As can be seen from this post(http://www.secmaniac.com/august-2010/social-engineer-toolkit-v0-6-1-teensy-usb-hid-attack-vector/), security researchers have integrated the infamous Metaspoit penetration testing suite with a social-engineering toolkit designed to create a package that can be installed onto a USB microcontroller in a couple of minutes.
Once inserted into the target device, the controller uses the same technology as the Hyundai key to emulate a keyboard, launch Powershell, and dynamically build a program that phones home to a waiting server—all by sending keystrokes to the host OS. The end result is a backdoor on the target device.
Summary
In summary, Hyundai has employed a very creative method of advertising that is unique and solves many of the problems associated with digital marketing.
While the ingenuity of the USB keyboard emulator is notable, from a security perspective it is a bit concerning. Security-minded businesses go to great efforts to prevent USB-based attacks by disabling autorun and U3 types of attack vectors, which this device cleverly bypasses.
Hyundai has indeed provided an ownership experience, one that hopefully won't be abused by malicious hackers who could replace the code with something a bit more malicious.