Suppose you're buying a new keyboard (say USB-wired, but consider Bluetooth connected as well) from Ebay. Is it risky to use that keyboard in a sense that it could be more than just a keyboard?
Thinking of USB rubber ducky (see also here) which is a USB pen drive that registers as a keyboard and can send arbitrary keystrokes I can similarly imagine a keyboard that logs every single keystroke and then - perhaps after a while of inactivity - changes its mode to USB mass storage and with the help of some auto-run or thumbnail parser exploit sends all the logged key strokes to some malicious server, potentially leaking all the logins and passwords that were typed on that keyboard.
So my question is about both USB and Bluetooth connected keyboards and whether such scenarios are realistic hence implying a security risk of using unknown / untrusted keyboards (obtained from third parties).