DED: Donut Email Dongle (part 1)

(Part 2, with the process of packaging this in a covert fashion, is available here.)

Background

In many offices (my own included), leaving your computer unlocked when you aren’t using it is heavily frowned upon for obvious security reasons. Responses vary from place to place (there are good posts on this by Troy Hunt and Jamie Thomson), but in my office the standard practice is to send a humorous e-mail to the team, organization, entire company, etc.  The contents vary from org to org, but one piece that’s becoming common is saying that you (that is, the person it looks like the email is coming from) will bring donuts tomorrow.

As was fairly inevitable, it’s no longer just used as a security awareness technique and is now more a form of office warfare.  If you turn your back on your screen for a second, someone will try to send a message.  Unfortunately, especially if you aren’t familiar with someone’s keyboard (or if they have a loud one), it can be tough to do this sneakily without the target noticing, and unless you can write the message and hit send, it’s a waste.  This got me thinking about ways to streamline the process, and that led to the DED (Donut Email Dongle).

Idea

The general idea is to make a USB-attachable dongle that, when plugged into an unlocked computer, sends a preprogrammed email message using the default email on that computer.  I’ve made a rough version; it does what I need it to, but the form factor is bad and I don’t have the tools handy to improve it.  I have plans for a fancier version, but I won’t have access to the necessary tools to make it until this weekend.

(Quick note: As is/will become obvious, this same overall design with different code could be used for a large number of entertaining and/or malicious purposes, so spend some time to think about what other fun stuff you can do with this once it’s built.  This could be used as a much more customizable version of Thinkgeek’s Phantom Keystroker, for example, or as the basis for an incredibly ghetto and insecure Yubikey.)

The core of the dongle is an Arduino microcontroller (if you aren’t familiar with Arduino, you can read the intro guide here).  It can be preprogrammed to take actions, such as reading or writing to I/O pins on the board, send and receive information over a serial connection to a computer, and (the part I’m interested in) if the Arduino is using the correct underlying chip, it can act as a USB keyboard and mouse.  It can’t easily read from the computer to see what’s currently going on, but if you can determine a series of keystrokes that’ll deterministically make something happen, you can easily program the Arduino to make it happen.

Code

The code for the dongle is very simple.  Here’s where I have it posted on GitHub.  It currently only supports sending through Outlook on Mac, as that’s what my computer does.  When it powers on, it waits a fraction of a second for everything to finish initializing, then uses Spotlight to switch over to Outlook, then uses keyboard shortcuts to create a new message, fill out the necessary fields, and then send it.  All told, it takes just a couple seconds.

The enhanced version will be housed inside a USB hub (the specific one I’m using is linked below).  The Arduino will use one of the ports that the hub provides, but the other three ports should still be functional.  In addition, the switches for those three ports will also be tied to digital inputs on the Arduino, to make it possible to provide 3 bits worth of input to the device.  I haven’t decided exactly what they’ll be used for (first I want to make sure I can actually get the Arduino properly wired in and reading them), but it’ll probably be one button to switch between Mac/Windows, one to switch possible email clients, and one to disable the actual send command, to make it safer to test.

A couple disclaimers about the code: There are a number of delay() steps scattered throughout.  If these steps don’t wait long enough, the input will outrun the machine and it (best case) won’t work properly or (worst case) will leave the machine and open programs in a weird state.  If these steps wait too long, it’s easy to interrupt and unplug the dongle before the message sends.  I have the delays tied to two constants declared at the top of the file so that they’re easy to adjust for debugging purposes.  The base values used seem to work the vast majority of the time on my computer; slower machines might need longer delays and faster machines might be able to handle shorter delays.

Components

ATmega32U4-based Arduino: Versions based on other chips (such as the ATmega328P) might not be able to easily act as a USB keyboard.  Here’s an Amazon link to the one I’m using.  It’s tiny enough to open up interesting packaging opportunities and cheap enough that it’s no big deal if I fry a couple.  Random note: The specific model I’m using needs to be treated as an Arduino Leonardo from the Arduino IDE.  This is mentioned in the description/comments on the Amazon listing, but is easy to miss.

-MicroUSB cable: You need to be able to connect the board to the computer somehow.  You probably have dozens of these lying around from other random gadgets.  If not, I used these ones as they’re cheap enough that destroying a couple is fine and because the branding matches the case I’m using.

-Discreet case: Not strictly necessary from a raw functional perspective, but useful, and this also opens up other interesting options.  I’m using this Sabrent USB hub because (as always) it’s cheap and it has just enough open space inside it to fit the Arduino I’m using.  In addition, the four switches seem useful to hijack as input devices.

Photos

Right now it’s literally just a one-foot MicroUSB cable plugged into an Arduino.  I’ll add pictures once(/if) I build the version that’s hidden inside a USB hub.

Advertisements

2 thoughts on “DED: Donut Email Dongle (part 1)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s