Your keyboard is one of the most important things to secure in desktop and mobile environments, yet it is often overlooked.
If you’re on a mobile device, chances are you’re using a “virtual” keyboard. A virtual keyboard is just an on-screen keyboard instead of a physical one. The problem is many available keyboards send your keystrokes to a remote server by default. Even the stock keyboard may do this. Even if you’re using the secure messaging app Signal, some big company could still be collecting everything you type through your keyboard app. Watch TheHatedOne’s video to find out how to secure your Android keyboard.
The same advice goes for custom keyboards on iOS: If you’re using a custom keyboard, use free software!
TheHatedOne does not mention physical keyboards. I have two pieces of advice for those:
- Do not use a wireless keyboard (or mouse).
- Do not use a programmable keyboard.
The problem with wireless keyboards is in the name; they send keystrokes wirelessly to the USB receiver. It’s often impossible to verify that wireless keyboards securely encrypt traffic. Even the keyboards with strong encryption are vulnerable to replay attacks which could be used to exploit the target machine. Even if a strong encrypted wireless keyboard is immune to replay attacks, it could be vulnerable to spoofing. Even with strong encryption, replay immunity and spoofing immunity, it’s still possible to log the frequency and timing of keystrokes using statistical analysis to determine which keys are being pressed at which times. As a final very minor issue, if AES is ever broken you’ll need a new keyboard.
This isn’t conjecture. Replay attacks and keystroke logging have already been demonstrated. It’s best just to have a wired physical keyboard (and mouse) to avoid all these problems.
The second concern is programmable keyboards. The problem with them is also in the name; they are programmable. If your computer can upgrade your keyboard firmware, then an attacker could embed viruses in your keyboard if your operating system is ever compromised. Then every time you reinstall your OS the virus could be reinstalled via your keyboard. If you have a fancy RGB keyboard controlled by drivers on your machine or you have G-series keyboard macros (G1, G2, G3, etc.) you might consider using a different keyboard that isn’t programmable. You don’t want a keylogger embedded into your keyboard itself. So just use a non-programmable keyboard and program macros inside the actual program where you want to use them. There’s no reason I can think of that a keyboard would need to have embedded macros anyway. Just embed your macros in the program or OS configuration itself.
For the vast majority of computer users, these measures should be enough to secure your keyboard.