NON programmable / flashable keyboard for security

[pijo]

I was reading up on some penetration testing techniques and came across different kinds of "Bad USB" techniques, for example https://github.com/justSem/badPico

Since many keyboards contain generic microprocessors, I suppose they could be reconfigured to behave like such a Bad USB device. Maybe even without the owner knowing. So from a security perspective, it might be favourable to have a keyboard with a microchip that can not be repurposed for anything other than a keyboard. Do such keyboards / PCBs exist in the mechanical keyboard space? I have tried looking around, but I'm not sure how to search for them.

[vvp]

Most users in this community want to be able to upgrade/replace their firmware. That means the controllers can be flashed with something malicious.

Often you need to connect a HW programmer(*) to the keyboard to change firmware. Some keyboards come with an active bootloader which allows firmware change without a HW programmer. If a bootloader is present then it may be possible to change firmware remotely. Or it may not be possible if the bootloader requires e.g. a special button press to activate firmware upgrade.

(*) special hardware you need to connect to MCU to program/debug it

Reprogramming MCU can typically be disabled in MCU fuses using a common HW programmer. If it is disabled then you cannot reprogram it any more or you can reprogram it only with a special HW programmer (e.g. a common programmer for ATmega is 5V a special one is 12V, that means you may need to desolder MCU to be able to reprogram it at 12V without damaging the rest of the PCB).

You are being afraid about nothing significant. If you care so much then do not put in a bootloader or even disable reprogramming in fuses. In such a case attacker needs physical access to the keyboard and needs a HW programmer and maybe even desolder the MCU. In such a case, it is just easier to replace the keyboard PCB with a malicious firmware already preloaded. Almost all of your security is already compromised when you have a physical access to the device. Hell if an attacker has physical acces he can just swap the keyboard with something nasty like a mouse trap to hurt your fingers

[pijo]

Thanks for your reply! I agree that it is an unlikely attack vector, but I'm also just curious about this. If I understand you correctly, there isn't really a way to build a keyboard that cannot be reprogrammed/reflashed at all? It can however be made very difficult as you describe. So this is also true for, for example, a very cheap keyboard you get with a PC (e.g. Fujitsu KB410)? I always imagined these keyboards would have chips that can really only have one function.

[Leslieann]

Pretty much anything that can be programmed once can be reprogrammed.
You can't really make a chip pre-programmed and removing the programming functionality is next to impossible. That doesn't mean it's easy, but it's doable.

Back to the keyboard,
Sure the keyboard is what accesses the system but it's very easily bypassed and does pretty close to nothing in terms of stopping me (or someone more determined and skilled). The keyboard firmware being hacked should be one of the least of your concerns, not just you, but almost any company as well. Too many easier points of entry that can give you far more information as keyboard firmware can't really do much on it's own and if you have access to a system why bother programming the keyboard to infect the system when you can just infect the system?

While it's a poor attack vector in terms of hacking a specific target there is nothing to stop a manufacturer from putting spyware in the firmware at the factory similar to what we see on cheap Android devices out of China. We've seen this a lot on external drives, a ton of keyboard software* and (possibly) a server motherboard.


*Don't use software a company gives you through a Google drive, stop buying from these shady fly-by-night companies altogether.

[vvp]

So this is also true for, for example, a very cheap keyboard you get with a PC (e.g. Fujitsu KB410)? I always imagined these keyboards would have chips that can really only have one function.

For small quantities (like a keyboard needs), a chip which has only one function (i.e. a custom ASIC) is more expensive than a generic programmable controller with firmware. It is almost certain that your Fujitsu KB410 has a programmable controller inside ... and therefore it can be attacked by firmware update. But as was written, this is not a practical attack. If you have a physical access to flash firmware with a programmer then it is easier to just replace the whole keyboard with the same looking piece which has your own controller with a malicious firmware. But if you have a physical access then you may be able to put a PCIe card or a firewire device or something else which has unprotected DMA access and attack the PC and its OS directly. Even a locked down OS cannot defend itself if it does not access all new devices with IOMMU ... it likely does not ... this is typically used only for mapping hardware to a virtual machine.

The point is that you need a physical access to attack a locked down keyboard firmware. And if you have a physical access then there are much better ways to use it than going through a keyboard.

Very roughly based on google only: a standard simple MCU can go down to a few cents a piece; price of a simple ASIC design plus a minimum order (few thousands pieces) starts around $ 1e6. The result is that it is very unlikely you will find a keyboard with a custom ASIC.

Go on, tear down your off-the-shelf standard keyboard, look up the controller and find out what it is based on the markings on the chip. Though sometimes this does not help since the chip is so cheap that it does even have any usable markings. Or a marking-less package was required to obscure the design.