6

I received a direct marketing USB stick on the mail the other day. As soon as I inserted it into my test-Mac - it opened Safari and wrote in the address of a website it wanted to visit. It had the exact same behaviour on my test PC.

Now, I was under the assumption that OSX didn't have an autorun feature. I'm running 10.10.3 and I can't even find the device under disk utility.

Any ideas on how they are doing this? The only thing I can think of is that it's piggybacking on a helper service, but I've never used any products from this company before.

How can I investigate the contents of the USB if I can't find it on my mac?

user977101
  • 161
  • 2
  • 12

1 Answers1

12

I can't even find the device under disk utility.

That is beacause it is not a disk device, but a USB HID "keyboard". The stick sends the key codes that will open the website automatically.

Turbo J
  • 7,563
  • 1
  • 23
  • 43
  • 1
    That sounds very scarey on the security front! Can you provide any further info on how you know that, and if there are any articles discussing it please? – Mark Setchell May 04 '15 at 21:12
  • 4
    Its actually onle a guess, but HID is the simplest method. You could do this with any USB microcontroller like the one on [Arduino Leonardo](http://hackaday.com/2012/06/29/turning-an-arduino-into-a-usb-keyboard/) board. – Turbo J May 04 '15 at 23:17
  • 2
    You were absolutely right @TurboJ. Using a USB HID-explorer I found the key, I was even able to trace it down to the company who makes them: http://www.digital-key.co.uk/ Seeing that it acts like a keyboard and is able to execute things on it own, this has to be a new security challenge that Apple has to deal with. – user977101 May 05 '15 at 07:52
  • 3
    @MarkSetchell not really. The scary part was "I received a USB drive of dubious/unknown origin and plugged it in". An even scarier version, if you are into that kind of thing, is "looks like a USB drive, behaves like a USB drive, but it also contains a GPS and a 3G modem that tells the NSA its whereabouts when plugged in". – Tobia Tesan May 16 '15 at 14:06