Reprogramming Promotional USB Dongles To Launch Custom URLs

webkey-hacking

The teachers at [Jjshortcut’s] school were each given a Webkey by the administration as a promotional item of sorts, but most of the staff saw them as useless, so they pitched them. [Jjshortcut] got his hands on a few of them and decided to take one apart to see what made them tick.

He found that the device was pretty simple, consisting of a push button that triggers the device to open the Windows run prompt, enter a URL, and launch Internet Explorer. Since the microcontroller was locked away under a blob of epoxy, he started poking around the onboard EEPROM with his Bus Pirate to see if he could find anything interesting there. It turns out he was able to read the contents of the EEPROM, and since it was not write protected, he could replace the standard URL with that of his own web site.

While it’s safe to say that without a new microcontroller the Webkeys probably can’t be used for anything more exciting than launching a browser, [Jjshortcut] can always reprogram the lot and drop them in random locations to drive some fresh traffic to his web site!

[Thanks, Wouter]

16 thoughts on “Reprogramming Promotional USB Dongles To Launch Custom URLs

  1. I got something like this in the shape of a key from Hyundai. There were no buttons, you just plug it in and it pulls up the run box and launches its website. (I’ve read that it works on Macs as well.) Unfortunately, there’s no separate EEPROM, just a blob of epoxy like shown above and two tiny capacitors.

  2. What a terrible idea…

    “Here, take this dongle.”
    “What does it do?”
    “Oh, it will take you to my website.”
    [hours later]
    “WTF IT DELETED MY HARD DRIVE!!!”

    Stay sharp, kids.

    1. Someone like those scam “Windows support” callers from India that, try to talk you though rootkiting your own computer, will eventually try that.

      Bulk mail “Computer Cleaner” keys to people, through a blind so that the post office can’t track it back afterward, and then wait for all the rooted PCs to phone home.

  3. tried on of these out on a Linux machine and was supprised to see nothing when I pressed the button.
    surely it is just a usb keyboard ?
    turns out Linux has had kernel protection from these things for sometime, to see anything you must run a terminal outside of X11.
    Very disapointed I could not use it as emergancy button.

  4. If you can rewrite the URL, doesn’t that mean you have access to RUN? If so, couldn’t you just use it to launch command prompt and copy a virus to the HDD? If all you can access is the URL, then it should still be possible to initiate a download from an FTP server. Dangerous.

  5. I once repurposed one of these. It was a microsoft “Smart” button, that took you to some dead site.

    What I used it for is turning on all the PCs in the showroom of the store I worked at. I plugged it into one of the till PCs, rewrote the hosts file to point to a webserver in the back, and wrote a cgi script on that webserver to send wakeonlan packets to all the showroom PCs. I also had it print out a blank page from the printer to warm it up.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.