20

I am looking to build a custom keyboard and bring it to work, but the security department is extremely wary of keyloggers, and rightly so. Now, my understanding of hardware keyloggers is that they are either USB adapters or additional PCBs wired into keyboards, and since I am not planning on wiring a keylogger into my own keyboard I feel as though I should be safe. However, the keyboard PCB I have is from some lesser-known Chinese distributor, so I am now concerned that the PCB itself may contain keylogging software.

Is this possible, or is a secondary PCB required for keylogging capabilities?

darkmnemic
  • 303
  • 2
  • 6
  • 1
    Is it possible, yes. Is it unlikely, also yes. Manufacturers of such devices want to keep costs to a minimum so they wouldn't want to implement the extra hardware for such a functionality. To exfiltrate the data you'll need the keyboard to act like a bash bunny or similar, which would drive up costs. Unless you're a high priority target, there are easier and cheaper ways to keylog people. – limeeattack Feb 10 '20 at 14:59
  • 1
    You could always hand-wire your board instead of using a PCB if you really, _really_ wanted to :) – Joshua Murphy Feb 10 '20 at 15:16
  • 1
    @JoshuaMurphy - if this weren't my first foray into DIY electronics I may attempt it, but I think I'll see how this one goes first :) – darkmnemic Feb 10 '20 at 15:31
  • 1
    @darknemic Totally. I'm mostly joking, and after commenting I realized that there is probably still going to need to be some kind of circuit that accepts all of the wiring and adapts it to USB. Maybe it could be possible to find a PCB or pre-built board that the IT team would accept, and you could create your build around that. Again, not a great option, and certainly limits your creativity, but I think that is likely what I would do in that situation. – Joshua Murphy Feb 10 '20 at 15:35
  • @JoshuaMurphy Asking the security team to approve the PCB ahead of time is something I haven't considered, maybe I'll give that a try. None of the parts are ordered yet, so now's the time. And I'm not opposed to modifying a pre-built board, but that takes some of the fun out of it imo. – darkmnemic Feb 10 '20 at 15:39
  • What is the problem you intend to fix? If it is "build a keyboard", you can do this without "bringing it to work". If it is "I need a special keyboard at work", you may need to find one that is IT approved and have them buy it for you, or you'll need to give them your (own) keyboard schematics and have them build it for you (... unlikely, and they will have to find out reliable boards and PCBs.. but it may happen?). – Olivier Dulac Mar 02 '20 at 16:16

2 Answers2

27

The answer that you don't really want is that keyloggers can be very stealthily incorporated into pretty much anything:

  1. Keyboard with integrated keylogger: https://www.paraben-sticks.com/keyboard-keylogger.html

  2. Less savoury keylogger found in retail keyboard, sending keystrokes back: https://thehackernews.com/2017/11/mantistek-keyboard-keylogger.html

  3. Wifi keylogger in a USB extension cord: https://www.amazon.co.uk/AirDrive-Forensic-Keylogger-Cable-Pro/dp/B07DCCBBHT

  4. QMK the firmware used on many handmade keyboards is fully programmable. Many keyboards use quite sophisticated CPUs (QMK supports e.g. Atmel AVR and ARM processors) . Adding an sdcard to a mainboard is quite easy.

All of this is fairly irrelevant, because you're approaching the issue from the wrong direction:

since I am not planning on wiring a keylogger into my own keyboard I feel as though I should be safe

This is assuming that the threat model that IT Security are working with are you being an unassuming victim to something like the second link. The more probable route is assuming that you are a potentially malicious insider, and aiming to use a stealthed keylogger, coupled with standard business practices ("Hey, {Admin}, I need this totally legitimate software, can you just enter your credentials to install it?").

While the first option is something to protect from, the second may also be considered. Luckily for the IT Security team, the solution is simple, known and approved keyboards are the only ones to be used.

Unfortunately, this isn't good for your prospects on this.

Jens
  • 138
  • 3
Jozef Woods
  • 1,247
  • 8
  • 7
  • It would be more accurate to say "sending keystroke *counts* back". It's still a terrible evil device, but that better conveys the idea of a very poorly thought out highly intrusive idea by Mantistek, rather than obviously attempting to directly steal your passwords. – Peter Cordes Feb 17 '20 at 03:55
4

Yeah, with physical access, keyloggers and other information tappers can be installed into pretty much anything. Cost isn't usually a big concern for people who really want to do this. The Chinese Communist government funds entire laboratories and mercenaries to specialize in this sort of thing, and with control of mass production infrastructure, the cost per unit can be driven extremely low.

pygosceles
  • 141
  • 1