How to detect a keylogger in a USB keyboard? Can a USB keyboard host a keylogger?

Regular USB key loggers that exfiltrate their data via Bluetooth or WiFi can easily be hidden inside a keyboard. The Bluetooth loggers require the attacker to come into range to dump their contents, but a WiFi based adapter that's pre-configured with a network key doesn't even require the attacker to be present to win. He can plug it in and let it sit there forever. Such keyloggers have been commercially available for many years. There are even open source implementations available from the NSA Playset project, which are devices designed to emulate the spy devices found in NSA's leaked and now infamous ANT catalog. But now, there are new options that are even more sophisticated.

The BashBunny is a commercially available hardware implementation of a USB chameleon that performs these kinds of tasks; the USB Rubber Ducky is simply an Evil Keyboard Simulator. The BashBunny works by running a small Linux computer that emulates generic USB keyboards, USB mass storage devices, USB serial ports, and/or USB network adapters. The emulated devices leverage the existing signed Windows drivers that are used by generic chipsets. Such devices can exfiltrate captured data via the victim PC simply by emulating a USB keyboard and typing instructions to send it elsewhere.

Here's a simplistic example of how they could exfiltrate data through the victim PC. Imagine that the hidden USB device contains a data logger, and records your secrets for a day or two. (The BashBunny does not contain a keylogger; it gets its data from scanning the host system. Of course it could install a key logger, then harvest the data at a later time.) When it's time to send the data, it generates USB messages that contain keystrokes, but the user isn't typing them. By hitting <Windows>R, then typing http://www.evilhax0rs.invalid/key_logger_dump_page.php* it can bring up a mostly empty-looking page with a hidden input box located so far down the screen that you need scroll bars to find it. Now, imagine the rogue keyboard hitting <Windows><Shift><Down-Arrow> to slide the browser window completely off the screen, hiding it from the user's view. Next, the fake keyboard starts typing all its logged keystrokes into the input box (base64 encoded, naturally), and hitting <Enter> when finished. Finally, after all the secrets have left the building, it types <Windows><Shift><Up-Arrow> to restore the browser, then quickly types <Control>F4 to close the tab. Even if the user noticed the windows popping up before sliding out of view, it can happen so fast the typical victim won't have the chance to figure out what's happening.

As I said, these are commercially available and open source products you can buy today; the source code for the evil devices and the "ducky scripts" that do the phantom typing are all hosted on github.

* not a real page.


I'm reading the question and seeing "could the keyboard" and what comes to mind is that most keyboards I've cracked open have an Atmel32u[4,8,X] controller, these controllers are running a firmware that is field programmable (though they may not have easy to reach breakouts for jtag/uart.) There are open source projects (Openhardware) that keyboard hobbyists have been building now for the better part of a decade based around the Atmel32u series processors.

It would not be trivial, but is totally possible to write a keylogger using the open source codebases as a starting point (TMK being the most established: https://github.com/tmk/tmk_keyboard) You could then use the same methodology as a rubber ducky and send commands through the keyboard itself to create the agent that sends the keystrokes to the remote location.

Some keyboards firmware have been reverse engineered already (again Keyboard enthusiasts) and vendors have even tried encrypting the firmware packages to prevent this. Still, it's not outside the realm of possibility.