I see a lot of ads these days for fancy mechanical keyboards from numerous brands, but the thing I always wonder about is: how do we know these keyboards dont have keyloggers or other spying tech built into them?

  • MajorHavoc@programming.dev
    2·
    5 days ago

    For the first point I would imagine that relying on the host computer to transmit the data by opening cmd or powershell could work on Windows,

    Interesting point!

    When I tried before, I failed. (I am willing to go to some lengths to prank my friends, and I have certain relevant skills.)

    In theory, it can be done, but I haven’t come up with a way to do it subtly. The keyboard would have to openly launch the command shell, then type in the Invoke-WebRequest command, then type in the raw data to send, then submit and close the window.

    This can be done quickly on Windows, but it cannot be done quickly enough to be invisible, as far as I’m aware.

    (Edit: It also isn’t something the attacker wants to do quickly since going too fast can cause the computer to randomly miss inputs which could break a subtle command like a Invoke-WebRequest.)

    It also can’t easily be done in the middle of the night, since the user is likely to be logged out.

    Maybe a replay of the user’s login and password could work to login in the middle of the night. It would be risky and brittle, but I suppose it’s theoretically possible.

    At the moment, to my knowledge, this attack is pure science fiction. But I suppose if we can imagine a way for it to work, so could someone else.

    • desktop_user@lemmy.blahaj.zone
      1·
      5 days ago

      the USB suspend state could be used to detect when the computer is asleep which could help with getting the login credentials, but the attack would absolutely be tempermental and realistically just installing malware on the computer via the keyboard would be easier.

      • MajorHavoc@programming.dev
        2·
        4 days ago

        realistically just installing malware on the computer via the keyboard would be easier.

        Yeah. Opening a terminal and doing a web fetch to install some spyware is probably the most practical version of the potential attack.

        It would still, I think, be pretty noticable when it ran (just the first time).

        But you make a good point that the USB power state might a way to guess when the user is away.

        I think it could be done.

        For anyone reading along and worried, there’s still two bits of good news:

        1. If done at scale, I think this would get caught in the attempt often enough to make the evening news.
        2. The cost to install a chip this smart roughly doubles the manufacturing cost of the average keyboard. So it’s still not something a single bad actor at a manufacturer is likely to insert, today.
        3. There’s (probably) limited financial incentive on this one, while the average person’s data is already available for purchase - for cheap - online.