Pete got this interesting junkmail from American Express a while back. It’s a piece of plastic that looks like a thick credit card, but has a small fold out section that fits into a USB port. When you plug it into your computer, it opens your browser and takes you to a website to sign up for an American Express credit card.
Seems like a lot of work to get you to their website, but it (sorta) worked on me. There is no way I would possibly open my browser and go to their annoying website on my own.. It was only the intrigue of some little USB device that got me there. Of course, once at the website, it was about as interesting as any other credit card offer, and I immediately left.
Pete was kind enough to let me take this marketing gimmick home to play with.
It’s not a USB flash drive. It’s a USB HID device that pretends to be an Apple Keyboard. Not just any keyboard, it specifically identifies as an Apple brand keyboard. I’m not sure what the benefit of this is… Once you plug it in, it starts sending key strokes. On my Mac, it opens the Apple menu and selects “Mac OS X Software…” which opens your default browser and takes you to some Apple page. However, before that site loads, it types out www.ppiamexzync.com which instantly redirects to https://www201.americanexpress.com/cards/RSVPServlet?rt=login&ct=87 once it loads you have the opportunity to apply for a Zync American Express card and get a credit card that is accepted almost nowhere.
Using an knife I pried the USB connector bit apart. It has a small dab of glue inside holding a tiny circuit board in place. If you are opening up one of these BE GENTLE!! In the process of separating the circuit board from the plastic, a small white component fell off the board. I think it’s a resonator. After a while with a magnifying glass and an extremely small soldering iron tip I was able to get it soldered back on. The circuit board has two surface mount capacitors, a black blob, an 8 pin IC and what I think is a (ceramic?) resonator.
The IC is a 24BC08 8k serial EEPROM. Here is the datasheet.
There is a four pin connector at the bottom, and the traces for the USB connection on the back. I imagine the four pin connector is for programming and/or communication with the black blob which I assume is a microcontroller. CJS1024 and WEB-126 is written below the black blob, but google didn’t find anything useful in english so I left it alone.
click on the photo for a larger version
It was easy to determine from the USB connector where the +5VDC and GND connections are; they are GND on the far left and +5V on the far right in the above picture. Using the 24BC08 datasheet pinout I connected some extra fine wire-wrap wire to the SCL and SDA pins of the EEPROM. All hooked up to my newly acquired, extra fancy DangerousPrototypes.com Bus Pirate I was easily able to dump the contents of the EEPROM
I changed the URL to an especially hilarious shock site involving skydiving and wrote the new data back to the EEPROM. Slightly worried that it might explode my Macbook, I cautiously stuck it in my USB port.. FAP FAP FLAPPP… “I believe I can fly…” glory! A little superglue stuck it back together and I returned the card to Pete.. I wish more junk mail was this fun.
There are a lot of malicious things a device like this could do.. by simply acting as a keyboard and/or mouse it could easily delete files, install software from the web, download copious amounts of porn and email it to your boss or install some Microsoft software on your computer.. Finding a USB device on the sidewalk, it would be tough to resist the temptation to plug it in..