4

I am looking to buying a small mechanical keyboard for on the go and to use it with various office computers. The ones I like are the Ducky Mini and KBParadise V60. The former has a ARM Cortex-M3 processor embedded which can even receive firmware updates. I have not found anything on the latter.

With the Bad USB issues in mind where USB Sticks can receive a bad firmware that does malicious things with the data, I am a little cautious. The Ducky Mini is probably updated using some Windows tool and I have not read anything about having to about security.

It seems to me that anyone could write an “update” for this keyboard and turn it into a keylogger. Is any keyboard with sufficient processor a security risk? Would an employer be unhappy if I bring that keyboard to work?

On the other hand, are normal keyboards simple enough to prevent such an attack? If I buy the other one, can I feel on the safe side?

Martin Ueding
  • 688
  • 1
  • 6
  • 18
  • Attacking your keyboard would require physical access to the keyboard, or a previously compromised computer to perform an attack on.

    Any attacker that has physical access to your keyboard could replace it with an identical model with a keylogger embedded in it. Unless you work for the NSA, I don't think an employer would blink twice about the security of a keyboard.

     – Steve Sether Sep 22 '15 at 20:43
  • 1
    I worked for DLR and their IT security documents say that no personal peripherals may be used at their computers without clearance. They are a German public/private research institute, which I think is still far away from intelligence agencies. There was somebody who build a USB drive into a gaming mouse and gave that to one of the employees as a gift. The thing eventually phoned home, so there seems to be a risk of rogue hardware. – Martin Ueding Sep 22 '15 at 21:36
  • Yes, there's very paranoid people out their that think making policies will get you security. I think even now this level of paranoia is the exception, and not the rule. Security departments too often think security is about controlling an environment, which is increasingly impossible, rather than controlling access to sensitive information, which is far easier. – Steve Sether Sep 23 '15 at 14:43
  • As a clarification: The thing with the USB mouse was not related to DLR at all. It was just something that came to my mind while I wrote the comment about my experience at DLR. – Martin Ueding Sep 23 '15 at 18:31

1 Answers1

6

The important question is: where has the keyboard been ?

Basically, if the keyboard is new and fresh from the factory, then it is about as safe as such things can be. If such a keyboard has been infected with a keylogger, then it was done in the factory and you cannot realistically prevent such a thing anyway. It is up to you to not allow infection to occur afterwards; i.e., don't plug your keyboard in unknown computers.

If the keyboard has been used elsewhere by potentially malicious people, then tough luck. I would advise against buying a second-hand keyboard.

Tom Leek
  • 172,594
  • 29
  • 349
  • 481
  • Does that hold generally for any keyboard or only for ones like the Ducky Mini? If the Ducky Mini is no more insecure than others, I can as well use that one. I intent to take this keyboard most places and use it at other computers, perhaps not every computer but especially the workplace. – Martin Ueding Sep 22 '15 at 20:03
  • A hardware-based keylogger could be planted in any keyboard. For an attack that does not involve a screwdriver (e.g. something that happens discreetly when you plug the keyboard in a malware-infected machine), the keyboard is theoretically vulnerable if it has a firmware that can be updated over the wire, and that covers about all USB keyboards nowadays (at least you cannot make sure that there is no update procedure in a given keyboard). The "Ducky Mini" is not intrinsically worse here. A PS/2 (non-USB) keyboard is probably safe, but modern machines may not have a PS/2 port. – Tom Leek Sep 22 '15 at 20:45
  • «The “Ducky Mini” is not intrinsically worse here» Okay, that sounds good in the sense that I can buy whatever I like. It does sound bad for the general shape that our hardware is in. Does the a USB-PS/2 adapter prevent such a USB attack? – Martin Ueding Sep 22 '15 at 21:01
  • @MartinUeding - a PS2 mouse is not vulnerable but if the USB adapter has upgradeable firmware on it that could be vulnerable – Neil Smithline Sep 22 '15 at 21:42
  • Slight off-topic, but an interesting read which shows the ease with which keyboard firmware can be modified: https://spritesmods.com/?art=rapidisnake – Cosmic Ossifrage Sep 24 '15 at 09:33