MajorHavoc @ MajorHavoc @programming.dev

Posts

8

Comments

1,990

Joined

2 yr. ago

They're already pretty rare, and likely to be in demand my hobbyists, I think?

Shaolin Soccer is the greatest masterpiece ever created with film.

realistically just installing malware on the computer via the keyboard would be easier.

Yeah. Opening a terminal and doing a web fetch to install some spyware is probably the most practical version of the potential attack.

It would still, I think, be pretty noticable when it ran (just the first time).

But you make a good point that the USB power state might a way to guess when the user is away.

I think it could be done.

For anyone reading along and worried, there's still two bits of good news:

1. If done at scale, I think this would get caught in the attempt often enough to make the evening news.
2. The cost to install a chip this smart roughly doubles the manufacturing cost of the average keyboard. So it's still not something a single bad actor at a manufacturer is likely to insert, today.
3. There's (probably) limited financial incentive on this one, while the average person's data is already available for purchase - for cheap - online.

Then open a browser using keyboard shortcuts (does Win+R open a browser in Windows if you type a URL in?) , type a URL, type in all learned username password combos, close browser using keyboard shortcuts.

Yeah. That could work.

I think it would get detected by many modern antivirus solutions, but it could work.

That's a good point. This kind of scripted data exfiltration triggers alerts in modern antivirus.

limited communication from the host to the Keyboard would be a challenge (capslock, NumLock, Scrollock).

Yeah. That's the part that makes me think no one is currently doing this at wide scale.

Due to factors you mentioned and others, it feels like it would be brittle and prone to detection.

And it's interesting enough that it would be big news among Cybersecurity and Privacy nerds. So we would probably be hearing about it if someone was planting something like this into mass market keyboards.

For the first point I would imagine that relying on the host computer to transmit the data by opening cmd or powershell could work on Windows,

Interesting point!

When I tried before, I failed. (I am willing to go to some lengths to prank my friends, and I have certain relevant skills.)

In theory, it can be done, but I haven't come up with a way to do it subtly. The keyboard would have to openly launch the command shell, then type in the Invoke-WebRequest command, then type in the raw data to send, then submit and close the window.

This can be done quickly on Windows, but it cannot be done quickly enough to be invisible, as far as I'm aware.

(Edit: It also isn't something the attacker wants to do quickly since going too fast can cause the computer to randomly miss inputs which could break a subtle command like a Invoke-WebRequest.)

It also can't easily be done in the middle of the night, since the user is likely to be logged out.

Maybe a replay of the user's login and password could work to login in the middle of the night. It would be risky and brittle, but I suppose it's theoretically possible.

At the moment, to my knowledge, this attack is pure science fiction. But I suppose if we can imagine a way for it to work, so could someone else.

how do we know these keyboards dont have keyloggers or other spying tech built into them?

We don't know, but there's lots of factors that can give peace of mind:

1. Exfiltrating data from a keyboard is incredibly difficult. Once a device identifies itself to the computer over USB as a keyboard, it has very limited options for how it can interact with the computer.
2. The best way to spy on a keyboard is a physical keylogger, occasionally physically removed and swapped with another. Another great option could be something Bluetooth, with some cleverness to hide the Bluetooth signal until needed. These involve both a substantial challenge to deliver the keyboard and then regularly get within a few feet of the keyboard. Great for lab environments or a desk job. Not much use besides.
3. For anything beyond that, a cellphone radio or satellite connection is needed, which carries substantial ongoing monthly costs.

Overall, none of the above solutions is well suited to widescale surveillance.

4. Thankfully(?), most people will install any stupid App, and many apps can just turn on the microphone anytime and record. So, there's much easier solutions for our surveillance happy corporate overload class to spy on most of us.

With all that said - yes - as others have said - a custom keyboard assembled from a kit, yourself, and flashed with a custom ROM, addresses all of this, if you're still worried. There's lots of such keyboard kits for around $300.00.

Nested tables is the best I can do...

Voice of Ron Howard: There were too many to choose..

Edit: This reminded me of another favorite running gag:

The Hacker in Leverage names everything after references to other shows. The fake IDs he creates are frequently less known Doctor Who or Star Trek actors.

And the Hacker's van is named Lucille. Which I thought might be a nod to Arrested Development, until...

Lol. He knows how to get off of the list. If anyone can donate fast enough to outrun a make believe magic book, he can.

You're welcome!

I hit one of them and thought "Huh. I would have liked to be surprised by that bit."

If you're referring to "carve out", then nope. See Carve Out Legal Meaning

Yes, with lots of carve outs:

• Un-aquited criminals who have not served their time have no right to be forgotten
• Public personalities who wish to remain public personalities don't get to have it both ways
• Within reason, binding contracts entered into without coercion should remain binding, maintaing existing contract escape mechanisms.

Otherwise, for the rest of us, I do think we should have a right to be forgotten.

FYI, for those who care - unlike a typical review, this article drops substantial plot spoilers without warning.

You've perfectly summarized my own feelings toward the best versions of Windows. Thank you. I feel more centered seeing it summarized so well in writing.

I'll add that I found Vista cool and interesting on a technical level, even while the practical outcome was pretty awful.

Ooh. Interesting. Thanks. Might need to revisit. See if we can compete with office chairs, after all. Lol.

Exactly.

That's a delight!

Here's a helpful companion - MegaMan Box Art Image Collection

Do I detect a divide by zero joke? Nice!