18 comments

[ 3.4 ms ] story [ 56.0 ms ] thread
Read the original posts and saw the package capture screenshot. It seems like it sends stats on how many keypresses there are on a key-by-key basis, not an actual keylogger (ie it doesn't send the content of what you sent).

It sends this in cleartext over http, not https. Again, not the content of what you type, so your url+user/pw is not sent (at least not according to what is known now).

why does it send anything at all?
Doesn't sound a whole lot better. Some diffs against normal character frequency would probably make cracking passwords easier. At the very least, you get a list of characters not to use in a brute force search.
To be clear, if they're sending real-time updates on the keypress counts of each key, it's quite simple to map that to a traditional key logger (ie, the contents of what you typed).
Was it confirmed realtime though? Could have been batched, which makes it harder to reconstruct what was typed.

Even that's a step too far though, but clarification can help draw the line between careless and malicious.

Not exactly just against cheap gadgets - remember the Connexant keylogger from earlier this year? It seems to be a common thing for driver developers to log keypresses for development purposes yet fail to disable that functionality in release... easiest fix? Don't install closed source drivers for 3rd party hardware.

https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogge...

That's the easiest fix unless it's hardware you need, or it's your work computer, or or or or...
Keyboards, sound cards will work great without any special drivers typically.
If it's your work computer then all bets are off. It's your employer's privacy at stake, not yours. Moreover you shouldn't ever consider your activity on your work computer "private" since your employer can and probably does monitor your usage.
That’s all true. I’m just saying it’s not always practical to avoid closed source code.
> These days, most products are made in China, but usually some other local company acts as an intermediary to ensure that the product is developed to specification and without other "features" that shouldn't be there. However, this additional protection goes out of the window when people decide to purchase directly from Chinese manufacturers via Chinese marketplaces.

Come on, it's not like American manufacturers are a paragon of user privacy, was this jingoistic jab necessary?

"Obscure manufacturer screws up" doesn't imply "Chinese engineers are completely worthless".

You can sue an importer or distributor, you can't (reasonably) sue a local Chinese company. I'm not sure this attitude has to be jingoistic or irrational.
Indeed, just Google "Windows 10 keylogger" and see what Microsoft put in the OS itself...

Some "obscure manufacturer" collecting this information gets a "warning" article, yet Microsoft, who is probably collecting the same if not even more detailed information about what you type and everything else, generated plenty of "telemetry is good for you" articles instead? Something doesn't seem right here...

I don't know through what kind of mental gymnastics you managed to come to that conclusion but let me try to get rid of your cognitive dissonance.

If chinese engineers are completely worthless then how do american companies manage to let chinese manufacture their products to american QA standards but chinese companies selling to chinese markets fail to adhere to them and only follow chinese QA standards?

It's quite simple if you think about it. American companies have american QA standards. Chinese companies have chinese QA standards. If you buy from a chinese shopping platform you get products that meet chinese QA standards. If you buy from an american shopping platform the products follow american QA standards.

It has nothing to do with competency of the engineers.

My first thought is, why does a keyboard even need its own software? There's a reason PS/2 and USB HID are standards...

I remember purchasing an HP printer a while ago --- it came with a CD full of useless crap, including drivers that took a full 400MB installer containing, among other things, a JVM, Apache Tomcat, and a bunch of other Java-based bloat for the "management UI". I just used the OS generic HP/PCL driver and it's been working that way since. I have heard that even those drivers phone home now, to report how many pages were printed and ink levels etc.

Telemetry --- it's in everything now, and this greatly disgusts me. No doubt it's probably buried somewhere deep in the EULA for this keyboard's software, that you agreed to the collection of "aggregate key usage information" or similar. Read the Windows 10 EULA for some similarly creepy wording.

Also, if you're paranoid about USB keyboards containing other "hidden devices", a USB-PS/2 adapter would probably work to stop anything else from getting through.

>why does a keyboard even need its own software?

Setting macros and controlling lights (each key has an RGB light hidden under it).

In plaintext, this is the donald trump of malware.
Warning against cheap keyloggers: Get expensive high quality keyloggers from Microsoft, Google etc.