4

Suppose you're buying a new keyboard (say USB-wired, but consider Bluetooth connected as well) from Ebay. Is it risky to use that keyboard in a sense that it could be more than just a keyboard?

Thinking of USB rubber ducky (see also here) which is a USB pen drive that registers as a keyboard and can send arbitrary keystrokes I can similarly imagine a keyboard that logs every single keystroke and then - perhaps after a while of inactivity - changes its mode to USB mass storage and with the help of some auto-run or thumbnail parser exploit sends all the logged key strokes to some malicious server, potentially leaking all the logins and passwords that were typed on that keyboard.

So my question is about both USB and Bluetooth connected keyboards and whether such scenarios are realistic hence implying a security risk of using unknown / untrusted keyboards (obtained from third parties).

a_guest
  • 141
  • 2

1 Answers1

2

I think you have answered your own question :) Purchasing hardware from any untrusted supplier carries risks. The company I work for has a designated hardware supplier for peripherals (And other hardware) to help mitigate against this risk (amoungst other controls).

There have been incidents before where keyloggers have been installed on keyboards, see https://thehackernews.com/2017/05/hp-audio-driver-laptop-keylogger.html

Avoid if possible & if you are unable to avoid then make sure you have the necessary security controls on the device before plugging in, better to be safe than sorry.

CyberGav
  • 19
  • 2