We can't trust manufacturers not to build keyboards with undetectable hardware keyloggers now and in the future because the NSA has plenty of money. I say this idea isn't new to them at all and I hope that people in the future will keep taking the different models apart to hack around.
Keyloggers inside everyone's keyboard could be useful to the NSA and FBI who could pay companies to bake them in. When you're suspected of a serious crime for example or you get into serious trouble, you could get your storage devices taken away. Encrypted or not, your keyboard could then reveal passwords if it's the correct model. This even breaks forward secrecy. These tiny computers inside keyboards meant to control light flashing, sound, card reading, and more could possibly also control which keys to record and what to throw away based on repetition... if the keylogger's space is limited. Keylogger functionality can be massive, they can use compression or run through the text file it generated over the years, keep one copy of repeated phrases, and throw away the rest. An attacker could possibly talk to your keyboard through your computer if it runs systemd or Windows assuming the interface to the keylogger can be that convenient.
Sort: Top
[–] tame 0 points 19 points 19 points (+19|-0) ago
USB devices are a massive infection vector. There've been all sorts of hijinks like sending people promotional freebie mice which also present as keyboards and run keboard commands when plugged in.
Take a look at these things: https://www.offensive-security.com/offsec/advanced-teensy-penetration-testing-payloads/
Basically if someone wants to get onto your system and is skilled enough, you won't stop them.
[–] Kal 3 points 5 points 8 points (+8|-3) ago (edited ago)
This is sort of what I figured. How is Linux going to give a fuck about anything a keyboard wants to do besides input keystrokes? M$ will probably play ball for what the NSA wants devices to do, but to my knowledge, open source doesn't give two shits about all these issues you guys on windows are concerned with.
[–] 2716057 1 point 7 points 8 points (+8|-1) ago
This is not what they mean. Microsoft-branded keyboards and mice all use the same (lack of) encryption, so this device can snoop on the transmission between the keyboard and USB dongle.
The firmware you're using on your computer (Linux, OSX, BSD, etc.) is irrelevant. You could use a Microsoft keyboard on a Linux machine, and the Teensy would still pick it up.
[–] kltpzyxm ago (edited ago)
Thats not at all how it works. If it reads as a generic usb device then it doesnt matter what operating system the host operating system uses, all commands will be passed and executed as though they're coming from a legitimate user typing away on the keyboard.
And as for the Teensy itself, its pretty much the defacto standard for home brew keyboards and game controllers because there are several fully functional open source firmware packages available for it. It also works on all operating systems.
As for injecting data, all you have to do is spoof the real keyboard and the os doesnt even realize theres a second transmitter.
[–] dabork 0 points 12 points 12 points (+12|-0) ago
Lol "look for keyloggers". What do you think it's going to look like? A big black box inside your keyboard that says "KEYLOGX 2.2.3" ?
If they do bother to install a hardware keylogger, it would look just like a boring circuit board that you would have no way of knowing isn't vital to the keyboard without extensive knowledge. Hell, they could probably just integrate it into the circuit board that already exists to interpret the keys you press, and aside from maybe an extra chip on the board, there would be nothing notable to see. More likely is that somebody, either the government or the manufacturer, slips a keylogger into the driver itself. Hardware keyloggers are easier to use because they don't require you to beat an anti-virus or user competency, but they only work until they are found and then they are permanently broken, they also come with much less deniability. If someone ever found a hardware keylogger in any major brand's keyboards, it would literally ruin them. But a software keylogger can always be written off as a virus or a compromised system like what happened with the Ubuntu ISOs that were posted on their official site and came with some pretty serious malware. A software keylogger is more difficult, but harder to fully remove because software can be self-replicating and constantly changing itself.
[–] Lopsid [S] 0 points 2 points 2 points (+2|-0) ago (edited ago)
My initial thought was anything with a chip is a candidate for inspection.
[–] DrBunsen 0 points 11 points 11 points (+11|-0) ago
So it is time for openhardware keyboards/mice
[–] Lopsid [S] 0 points 6 points 6 points (+6|-0) ago
Yes Doctor. I believe this is the last step in total security and privacy. Although we'll still have to watch for unencrypted wireless, sound, and other noises or traces.
[–] [deleted] 0 points 2 points 2 points (+2|-0) ago (edited ago)
[–] DrBunsen 0 points 1 point 1 point (+1|-0) ago
Yeah, never trust the stuff you use.
And I am interested in an open keyboard, as I am in all open things. Thanks
[–] carlinco 0 points 7 points 7 points (+7|-0) ago
TBH, true security would only be possible if people started producing their own computers (and equipment to make them). Kind of like open source software, but with advanced 3d-printing.
But even then, it would not be difficult to fool someone by replacing an item with one that looks exactly the same, or by injecting something into the blueprints which would be hard to find (see how often this happens even to open source software under public scrutiny).
As it is, be vigilant, punish companies that get caught breaching your privacy by purchasing somewhere else, and take apart the stuff you quit using to find out at least after the fact if anyone is onto your secret stash of bitcoins...
[–] Firevine 0 points 6 points 6 points (+6|-0) ago
I guess I'll stick to these ancient keyboards I pick up second hand that I love so much.
[–] B3bomber ago
Downside: newer motherboards tend to not have PS/2 ports and only have USB ports. The newest one I have does not have any PCI slots, just PCI-E. There will come a point when that is no longer an option:(
[–] Firevine ago
I suppose I could use adapters, but DIN5 to USB are a pain in the ass, and who knows what might be installed onto those chipsets.
[–] Pawn 0 points 4 points 4 points (+4|-0) ago
heh I'd be more worried about that phone you carry around. Sends out a fuck ton of signals, wifi, bluetooth, cell. Has a GPS to track your ass. Doesn't even need GPS that much to triangulate your position. Plus most of the time it's hard to open and inspect. Put a keylogger there from the factory and cucks won't know, put a software keylogger and cucks wont know. Never trust anything factory made.
[–] jrfg1743 0 points 2 points 2 points (+2|-0) ago
https://theintercept.com/2015/08/26/way-gchq-obliterated-guardians-laptops-revealed-intended/
[–] Lopsid [S] 0 points 2 points 2 points (+2|-0) ago
Mother of fuck. Thanks for sharing.
TLDR video for the impatient.
[–] 5634059? 0 points 2 points 2 points (+2|-0) ago (edited ago)
You worry about targeted attacks when I think we all know the government isn't the threat. They can sift what they need from mass data collection or the blunt instrumemt of tossing your ass in jail for contempt of court.
The threat is someone with financial motivation to pull information. Data collection for advertising or the computer equivalent of a mass ATM skimmer.
That all ignores the greater threat. Not that someone would put in something secret to steal the data. No, the threat is that you'll agree to give it to them in exchange for a deal or discount. Look at the device Progressive puts in cars now. Or the data collection almost every service you sign up for makes you agree too.