[Info] American Express Usb Ad

[HairClog]

I recieved this today. It appears that American Express has already built their own USB duckys. In this

you can see that this usb card is a HID keyboard that brings up the windows Run command and keys in their webpage. I took this thing apart to see the what was on the board.

Up close to the chip

I haven't been able to find out about the chip that is on the board but it would be great to see if they can be acquired!

[Jerico_Tyler]

the really meat is probably under the black spot

[crazyren]

its could be one of these chip... ( http://www.hexwax.com/products.aspx )

[HairClog]

Tried fire, prying, cutting. The black spot is stronger plastic than the board itself. Any ideas, or is it tamper proof.

[1n5aN1aC]

Tried fire, prying, cutting. The black spot is stronger plastic than the board itself. Any ideas, or is it tamper proof.

I'm pretty sure you can't get it off without completely destroying it...... ;)

[Elementix]

The black stuff is epoxy. It can be removed without damaging the chip. Here you go:

Now get it off so we can see what they've got under there! :)

[1n5aN1aC]

Oh yeah, it is just epoxy isn't it.... oops...

[Paul Stoffregen]

The visible chip is probably an AT24C02A 256 byte EEPROM memory chip. Many companies make this "24C02" chip, so the first 2 letters (denoting the manufacturer) may not necessarily be "AT" for Atmel.

http://search.digikey.com/scripts/DkSearch...02A-10TI-2.7-ND

[Darren Kitchen]

This is great. Seriously. When big names like Amex start using methods like these to "secure the users" it becomes an accepted practice to allow foreign HIDs.

Much like the convenience of having optical media autorun, because otherwise grandma might get confused if nothing happens when she pops in the Kodak Picture CD the grand kids sent over into the computamajiggy.

Convenience. Trust. Pwnage.

To be honest the weakest link, causing everything else to compromise security, is between most keyboards and chairs. We need to rethink users and I believe only genetics can solve this problem. (j/k)

[crazyren]

according to this post ( http://catless.ncl.ac.uk/Risks/25.83.html#subj12 )

It identified itself on the USB chain as:

Bus 003 Device 003: ID 05ac:020b Apple, Inc. Pro Keyboard

[Mitsumi, A1048/US layout]

[Netshroud]

Ooh, I bet they're praying that Apple doesn't find out.

[Darren Kitchen]

That's what the Ducky should default to, an apple keyboard. Ya know, for kicks.

[1n5aN1aC]

Defiantly, so that apple keyboards get blocked ;) (okay, they won't, but everyone will think apple keyboards glitch a lot, or something....)

[crazyren]

That's what the Ducky should default to, an apple keyboard. Ya know, for kicks.

i was wondering what if we randomize the vendor name and product name.. after every use, using a huge list of all famous drive and yea... then possibilities of getting pwned is hard..

[nxt471]

That's what the Ducky should default to, an apple keyboard. Ya know, for kicks.

What would be even better is to disguise it as a Dell or Microsoft keyboard, they can be found almost everywhere in offices and blocking them would cause a whole load of keyboards to not work, also, nobody suspects Dell or Microsoft keyboards to be hacking them, right? :)

Edited April 18, 2010 by nxt471

[Elementix]

i was wondering what if we randomize the vendor name and product name.. after every use, using a huge list of all famous drive and yea... then possibilities of getting pwned is hard..

I like this idea, but how much space would that use up?

[hacker07]

okay im confused. How would i change the vendor on my teensy?

[bigk]

Interesting. Hairclog, in your picture it appears your resonator (crystal) is gone. It's a 3 pin ceramic package that is mounted just above the epoxied chip. Another interesting thing is mine has the same markings on the board and the same landings, but does not have the serial eeprom at all. When I plug it in it acts like a keyboard, brings up the run command and types in www.ppprg.com which forwards to American Express. I wonder if the 4 contacts on the bottom of the board are for programing the device.

[Paul Stoffregen]

okay im confused. How would i change the vendor on my teensy?

All USB devices have a 16 bit Vendor ID and 16 bit Product ID number. In Teensy, these numbers (and pretty much everything else) is definable by programming.

If you're programming using Arduino with Teensyduino, look inside your Arduino IDE's installation directory, in hardware/teensy/cores/teensy_hid/usb_private.h. You'll find this near the top:

#define VENDOR_ID               0x16C0
#define PRODUCT_ID              0x0482

A little farther down, you'll find this:

#define STR_PRODUCT             L"Teensy Keyboard/Mouse"

You'll also find there's lots of editable stuff inside usb.c, also in that directory. Those "descriptors" are the actual data the PC reads when it's detecting the USB device (the process is called "enumeration" in USB lingo). You can change it to absolutely anything you desire, though you might want to read chapter 5 and 9 of the USB specification, and maybe review the HID spec and usage tables.... all of which are free downloads at www.usb.org in the developer section.

Those numbers are compile-time constants, which are placed into arrays of bytes stored in read-only flash memory. You can't change them while the Teensy is running. However, if you really felt ambitious, you could change the code which reads the memory and transmit it to the PC. It's located in the giant endpoint0 interrupt routine, in usb.c. In fact, here it is:

                if (bRequest == GET_DESCRIPTOR) {
                        list = (const uint8_t *)descriptor_list;
                        for (i=0; ; i++) {
                                if (i >= NUM_DESC_LIST) {
                                        UECONX = (1<<STALLRQ)|(1<<EPEN);  //stall
                                        return;
                                }
                                pgm_read_word_postinc(desc_val, list);
                                if (desc_val != wValue) {
                                        list += sizeof(struct descriptor_list_struct)-2;
                                        continue;
                                }
                                pgm_read_word_postinc(desc_val, list);
                                if (desc_val != wIndex) {
                                        list += sizeof(struct descriptor_list_struct)-4;
                                        continue;
                                }
                                pgm_read_word_postinc(desc_addr, list);
                                desc_length = pgm_read_byte(list);
                                break;
                        }
                        len = (wLength < 256) ? wLength : 255;
                        if (len > desc_length) len = desc_length;
                        list = desc_addr;
                        do {
                                // wait for host ready for IN packet
                                do {
                                        i = UEINTX;
                                } while (!(i & ((1<<TXINI)|(1<<RXOUTI))));
                                if (i & (1<<RXOUTI)) return;    // abort
                                // send IN packet
                                n = len < ENDPOINT0_SIZE ? len : ENDPOINT0_SIZE;
                                for (i = n; i; i--) {
                                        pgm_read_byte_postinc(UEDATX, list);
                                }
                                len -= n;
                                usb_send_in();
                        } while (len || n == ENDPOINT0_SIZE);
                        return;
                }

That code is responsible for sending all the descriptors, so if you tweaked it for only 1 descriptor, be sure to make that a special case test and fall back to the normal code for the other cases, since the PC needs to read all the descriptors.

Of course, intentionally setting the ID numbers to mimic a well known product is ethically questionable, and also violates the USB-IF adapter's agreement, and might be bad karma too....

[dmsmith1991]

If the vendor_id and product_id's are changed, doesn't that mean teensy loader won't detect the teensy when it is plugged in?

[Netshroud]

That's what the button is for.

[dmsmith1991]

That's what the button is for.

So your saying that the bootloader has a seperate set of ID's which aren't replaced when you change the ID's in usb_private.h?

[Netshroud]

Yep, the bootloader shows up as a composite device (Product 0x0878 Vendor 0x16c0), rather than whatever you set it to.

[Sl45h3R]

Yeah, thats how the teensy loader knows that the HalfKey loader is running.