Recently I received promo letter from RS New Zealand which contained a mysterious USB dongle device thingy:

rs_nz_dongle0

hmm… should I plug this thing in…

rs_nz_dongle1

rs_nz_dongle2

Word of warning: never plug anything into USB port if you didn’t ask for it. For “science” I plugged it into a sacrificial Linux box.

Turns out the dongle is a keyboard device that mashes magic Windows specific key sequences (more on that later).

This whole marketing campaign is extremely stupid move from RS NZ. Now a 3rd malicious party can copy their marketing material and send it out with a dongle that has malicious payload (could be the same keyboard sequence that goes to a site and downloads root kit, while “Allowing” all the UAC dialogues).

It is a shame that RS NZ trains already security deficient Windows users with more horrible security practices.

The device presents itself with following ID:
Bus 001 Device 018: ID 05ac:020b Apple, Inc. Pro Keyboard [Mitsumi, A1048/US layout]

Here is the magic key sequence:

Caps_Lock
Caps_Lock
Super_L + r
Home
Shift_L + End
BackSpace
# above is running Win+R 
# clearing the line 
# while Caps Lock on for some reason

Alt_L + KP_End
Alt_L + KP_Insert
Alt_L + KP_Left
# Alt + 104 = h

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_Right
# Alt + 116 = t <- guess where this is going?

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_Right
# Alt + 116 = t <- is 'p' next?

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_Down
# Alt + 112 = p <- yep, it is an obscure way of typing 'http'.

Alt_L + KP_Insert
Alt_L + KP_Begin
Alt_L + KP_Up
# Alt + 058 = : <- http:

Alt_L + KP_Insert
Alt_L + KP_Left
Alt_L + KP_Home
# Alt + 047 = / <- http:/

Alt_L + KP_Insert
Alt_L + KP_Left
Alt_L + KP_Home
# Alt + 047 = // <- http://

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_Begin
# Alt + 115 = s <- where is this going?

Alt_L + KP_End
Alt_L + KP_Insert
Alt_L + KP_End
# Alt + 101 = e <- http://se ?

Alt_L + KP_Insert
Alt_L + KP_Prior
Alt_L + KP_Prior
# Alt + 099 = c <- secure? but not https?

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_Home
# Alt + 117 = u <- http://secu...

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_Left
# Alt + 114 = r <- http://secur...

Alt_L + KP_End
Alt_L + KP_Insert
Alt_L + KP_End
# Alt + 101 = e <- http://secure...

Alt_L + KP_Insert
Alt_L + KP_Left
Alt_L + KP_Begin
# Alt + 045 = - <-http://secure-

Alt_L + KP_Insert
Alt_L + KP_Prior
Alt_L + KP_Prior
# Alt + 099 = c <- http://secure-c

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_Right
# Alt + 116 = t <- http://secure-ct

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_Prior
# Alt + 119 = w <- http://secure-ctw

Alt_L + KP_Insert
Alt_L + KP_Left
Alt_L + KP_Right
# Alt + 046 = . <- http://secure-ctw.

Alt_L + KP_Insert
Alt_L + KP_Prior
Alt_L + KP_Prior
# Alt + 099 = c <- http://secure-ctw.c

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_End
# Alt + 111 = o <- http://secure-ctw.co

Alt_L + KP_End
Alt_L + KP_Insert
Alt_L + KP_Prior
# Alt + 109 = m <- http://secure-ctw.com

Alt_L + KP_Insert
Alt_L + KP_Left
Alt_L + KP_Right
# Alt + 047 = / <- http://secure-ctw.com/

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_Down
# Alt + 112 = p <- http://secure-ctw.com/p

Alt_L + KP_End
Alt_L + KP_End
Alt_L + KP_Home
# Alt + 117 = u <- http://secure-ctw.com/pu

Return
Caps_Lock
# the end

The resultant http://secure-ctw.com/pu redirects to http://nz.rs-online.com/web/generalDisplay.html?id=tct .
For some reason they decided to use 3rd party redirection service, whose domain/URL is not much shorter than http://nz.rs-online.com.
The funny thing is they could have registered rs-tct.nz (or rstct.nz) for something like $30 and set-up redirect there. It smells of their marketing department stumbling in the dark.

The whole thing pretty pointless IMHO. Could have just sent a postcard with a QR Code and URL on it. Actually form environment point of view it is very wasteful.

I guess they are forcing dumbass Windows users to visit their page (who otherwise would not follow the link)…

Leave a Reply

Your email address will not be published. Required fields are marked *