I see a lot of ads these days for fancy mechanical keyboards from numerous brands, but the thing I always wonder about is: how do we know these keyboards dont have keyloggers or other spying tech built into them?
I see a lot of ads these days for fancy mechanical keyboards from numerous brands, but the thing I always wonder about is: how do we know these keyboards dont have keyloggers or other spying tech built into them?
For the first point I would imagine that relying on the host computer to transmit the data by opening cmd or powershell could work on Windows, however the cost of adding the necessary intelligence into millions of keyboards would probably not be worth it and the limited communication from the host to the Keyboard would be a challenge (capslock, NumLock, Scrollock).
Yeah. That’s the part that makes me think no one is currently doing this at wide scale.
Due to factors you mentioned and others, it feels like it would be brittle and prone to detection.
And it’s interesting enough that it would be big news among Cybersecurity and Privacy nerds. So we would probably be hearing about it if someone was planting something like this into mass market keyboards.
Interesting point!
When I tried before, I failed. (I am willing to go to some lengths to prank my friends, and I have certain relevant skills.)
In theory, it can be done, but I haven’t come up with a way to do it subtly. The keyboard would have to openly launch the command shell, then type in the Invoke-WebRequest command, then type in the raw data to send, then submit and close the window.
This can be done quickly on Windows, but it cannot be done quickly enough to be invisible, as far as I’m aware.
(Edit: It also isn’t something the attacker wants to do quickly since going too fast can cause the computer to randomly miss inputs which could break a subtle command like a Invoke-WebRequest.)
It also can’t easily be done in the middle of the night, since the user is likely to be logged out.
Maybe a replay of the user’s login and password could work to login in the middle of the night. It would be risky and brittle, but I suppose it’s theoretically possible.
At the moment, to my knowledge, this attack is pure science fiction. But I suppose if we can imagine a way for it to work, so could someone else.
the USB suspend state could be used to detect when the computer is asleep which could help with getting the login credentials, but the attack would absolutely be tempermental and realistically just installing malware on the computer via the keyboard would be easier.
Yeah. Opening a terminal and doing a web fetch to install some spyware is probably the most practical version of the potential attack.
It would still, I think, be pretty noticable when it ran (just the first time).
But you make a good point that the USB power state might a way to guess when the user is away.
I think it could be done.
For anyone reading along and worried, there’s still two bits of good news: