Range Rover Welcome Pack uses an interesting but scary USB trick. #rangerover

As they normally do, Land Rover sends the personalized Roadside Assistance card shortly after taking delivery of a vehicle.  This time it arrived in a sliding package with an interesting addition.DSC_2327

DSC_2330

On the right is the standard Roadside Assistance card, actually the back of the card. 

On the left is the new addition (or new for me at least).

DSC_2331

DSC_2332

DSC_2333

Offering to allow me to create a photo mosaic, I figured it was either a program on the USB key or just a bunch of pictures – similar to how they’ve been doing their press packs lately.  So I plugged it in and saw an unexpected sequence – running Windows 7, I saw the Run box appear, text was entered automatically (http://vcgw.net/****/*******, I substituted the asterisks) and then my browser appeared on the web page listed on that card.  What I found odd was that there was no prompt, no autorun box(which is actually blocked) – just a Run dialog, text entered and a browser window.  So I dug a little deeper into Device Manger:

Untitled-1

And there it was under HIDs – USB Input Device.  I hadn’t seen one of these before but it’s a very interesting idea – it pretends it’s a keyboard and just enters in the commands directly as if they were being typed.  And while being neat, this could also be very, very dangerous – it’s like letting someone sit right at your keyboard.  And yes, I did have to plug it in but what if someone was able to hack that intermediate address that the USB device plugs in and instead of it redirecting to www.landroverusa.com/welcomerr it automatically brought up something much more malicious?  The actual companies being marketed have to trust that the vcgw.net domain stays legit because if they go out of business and someone plugs this into their computer, who know where it would take them and without any prompting.

Upon further searching, it looks like American Express & others have used the same device for their marketing as well – all with the vcgw.net redirection service.

Again, neat idea but maybe a little over done.