Is bluetooth keyboard more secure than USB keyboard for a malicious firmware?

Question

There are some threads talking about Bluetooth keyboard security. But I have a different concern.

I will only need 4 keys from an external keyboard, Home/End/PageUp/PageDn keys. Because I use them a lot and my laptop keyboard has a bad design (no separate keys for them).

There are some programable 4 keys keyboard or Numpad Bluetooth keyboard in online shops. I am planning to buy one of them.

Because I only will use 4 keys from the external keyboard, I don't care if the 4 keys (Bluetooth connection) are sniffed (logged) by other hackers or not.

I have more concerns if the keyboard can have some malicious (trojan/backdoor) firmware built-in. With a USB connection, I think the keyboard can easily run some backdoor scripts (I might be wrong). So I am wondering if a Bluetooth keyboard is more secure than a USB keyboard in such a situation.

Answer 1

It doesn't matter whether the device is USB or Bluetooth, nor does it even matter if the device is a keyboard - the same potential attack vector applies. I'll focus on USB here since I'm more familiar with USB HID then I am Bluetooth device endpoints.

When a USB device is connected to the system, the host asks it for its descriptor. The descriptor is effectively a big block of data that tells the host what it's called, what USB features it supports, what interfaces and devices it implements. One physical USB device connected to one physical USB port may in fact report itself as multiple devices, each with its own functionality. This is how combo devices like keyboard/mouse or USB-C touchscreens work.

A malicious device could implement a USB HID (human interface device) keyboard alongside its "normal" functionality, and send whatever keys it likes to your system. This is how devices like the USB Rubber Ducky - they look like a USB stick or something else innocuous, but inside they've got a small microcontroller that implements a USB keyboard interface that you can program to send whatever keyboard strokes you like when you plug them in. A common payload is to hit the necessary keys to launch a run prompt, then execute commands that download a reverse shell script, giving the attacker complete control of the system.

You can take this one step further with something like the O.MG cable, which looks and acts just like a regular USB cable but actually lets you remotely send keystrokes over an 802.11 WiFi access point built into it. Same attack but with interactive control.

There's pretty much nothing you can do to prevent this attack, other than carefully auditing the USB devices that are exposed by the device, or perhaps implementing a USB device security policy on your system if the inconvenience isn't too great (it probably would be for general users).

The answer to "why isn't everyone freaking out about this" is that almost no attackers want to invest in costly and risky supply chain attacks on peripheral hardware unless there's a very high chance of getting high value returns. It's something that you need to consider in nation state infrastructure, but for corporate stuff you can get by with device lockdown policies and monitoring, and for home users there's basically no reason to waste this kind of attack.