I see a lot of ads these days for fancy mechanical keyboards from numerous brands, but the thing I always wonder about is: how do we know these keyboards dont have keyloggers or other spying tech built into them?
Well, you don’t. But let’s think about it. The micro controller in it could easily log your keys. But logging data without retrieving it is rather useless. Either the keyboard itself has hardware to send out the data or it sends the data via your computer. The first one is absurd, what is that supposed to be, a satellite connection? The second one is not any different from having any old keylogger installed on your computer. The keyboard does the first step of collecting the keystrokes but every keyboard does that. The program does the second step of sending the data out over the internet but every keylogger does that. So could the software bundled with it be a keylogger? Sure but probably not. Making a whole company and production line with a product just to distribute a keylogger is quite overkill and risky when found out. With this line of thinking any software you install could be a keylogger, which it can be but is probably not the case. In short, there is nothing special about a keyboard that makes it more likely to be a keylogger than any other device or software. If you are somehow paranoid about this you can build your own keyboard and flash your own firmware to its micro controller. I did that but not for the reason of keyloggers, I just wanted to design and build my own keyboard.
If you are somehow paranoid about this you can build your own keyboard and flash your own firmware to its micro controller.
This is the correct answer, if that’s something that concerns a person. This would virtually guarantee privacy, and it’s not unlike the impetus behind open source hardware/software.
But like you said, there’s no reason a company would go through the trouble of production, unless they thought that they would get a payout from it before getting caught (and that’s a big gamble for operating out in the open like that).
Also I would imagine many computers could or would detect many instances of illicit Keyloggers trying to send out data without permission
Map usage times for a week.
In the middle of a non usage time type the string of characters that are first typed at the start of usage time.
Then open a browser using keyboard shortcuts (does Win+R open a browser in Windows if you type a URL in?) , type a URL, type in all learned username password combos, close browser using keyboard shortcuts.
Then open a browser using keyboard shortcuts (does Win+R open a browser in Windows if you type a URL in?) , type a URL, type in all learned username password combos, close browser using keyboard shortcuts.
Yeah. That could work.
I think it would get detected by many modern antivirus solutions, but it could work.
That’s a good point. This kind of scripted data exfiltration triggers alerts in modern antivirus.
You buy a board that supports QMK or another open source firmware, compile it yourself, and install it on your keyboard.
What you should be worried about more than a keylogger is that most 2.4 GHz wireless keyboards can have the keystrokes sniffed through the air. Bluetooth will be encrypted though.
how do we know these keyboards dont have keyloggers or other spying tech built into them?
We don’t know, but there’s lots of factors that can give peace of mind:
-
Exfiltrating data from a keyboard is incredibly difficult. Once a device identifies itself to the computer over USB as a keyboard, it has very limited options for how it can interact with the computer.
-
The best way to spy on a keyboard is a physical keylogger, occasionally physically removed and swapped with another. Another great option could be something Bluetooth, with some cleverness to hide the Bluetooth signal until needed. These involve both a substantial challenge to deliver the keyboard and then regularly get within a few feet of the keyboard. Great for lab environments or a desk job. Not much use besides.
-
For anything beyond that, a cellphone radio or satellite connection is needed, which carries substantial ongoing monthly costs.
Overall, none of the above solutions is well suited to widescale surveillance.
- Thankfully(?), most people will install any stupid App, and many apps can just turn on the microphone anytime and record. So, there’s much easier solutions for our surveillance happy corporate overload class to spy on most of us.
With all that said - yes - as others have said - a custom keyboard assembled from a kit, yourself, and flashed with a custom ROM, addresses all of this, if you’re still worried. There’s lots of such keyboard kits for around $300.00.
For the first point I would imagine that relying on the host computer to transmit the data by opening cmd or powershell could work on Windows, however the cost of adding the necessary intelligence into millions of keyboards would probably not be worth it and the limited communication from the host to the Keyboard would be a challenge (capslock, NumLock, Scrollock).
limited communication from the host to the Keyboard would be a challenge (capslock, NumLock, Scrollock).
Yeah. That’s the part that makes me think no one is currently doing this at wide scale.
Due to factors you mentioned and others, it feels like it would be brittle and prone to detection.
And it’s interesting enough that it would be big news among Cybersecurity and Privacy nerds. So we would probably be hearing about it if someone was planting something like this into mass market keyboards.
For the first point I would imagine that relying on the host computer to transmit the data by opening cmd or powershell could work on Windows,
Interesting point!
When I tried before, I failed. (I am willing to go to some lengths to prank my friends, and I have certain relevant skills.)
In theory, it can be done, but I haven’t come up with a way to do it subtly. The keyboard would have to openly launch the command shell, then type in the Invoke-WebRequest command, then type in the raw data to send, then submit and close the window.
This can be done quickly on Windows, but it cannot be done quickly enough to be invisible, as far as I’m aware.
(Edit: It also isn’t something the attacker wants to do quickly since going too fast can cause the computer to randomly miss inputs which could break a subtle command like a Invoke-WebRequest.)
It also can’t easily be done in the middle of the night, since the user is likely to be logged out.
Maybe a replay of the user’s login and password could work to login in the middle of the night. It would be risky and brittle, but I suppose it’s theoretically possible.
At the moment, to my knowledge, this attack is pure science fiction. But I suppose if we can imagine a way for it to work, so could someone else.
the USB suspend state could be used to detect when the computer is asleep which could help with getting the login credentials, but the attack would absolutely be tempermental and realistically just installing malware on the computer via the keyboard would be easier.
realistically just installing malware on the computer via the keyboard would be easier.
Yeah. Opening a terminal and doing a web fetch to install some spyware is probably the most practical version of the potential attack.
It would still, I think, be pretty noticable when it ran (just the first time).
But you make a good point that the USB power state might a way to guess when the user is away.
I think it could be done.
For anyone reading along and worried, there’s still two bits of good news:
- If done at scale, I think this would get caught in the attempt often enough to make the evening news.
- The cost to install a chip this smart roughly doubles the manufacturing cost of the average keyboard. So it’s still not something a single bad actor at a manufacturer is likely to insert, today.
- There’s (probably) limited financial incentive on this one, while the average person’s data is already available for purchase - for cheap - online.
-
Not to freak you out but I think Lemmy is a keylogger too.
I am definitely a Keylogger
Cause you make way way more money selling at most 100k mechanical keyboards (that are usually designed and made in china so it costs 20 cents to make it and you sell it for 60 dollars) than it would be hoping enough of those 100k people have data valuable enough to steal.
Also depends from brand to brand. You know Logitech/Razer etc are gonna squeeze whatever they can out of you while selling crappy overpriced products.
