Almost got fired over my keyboard

apastuszak · 10 Jun 2024, 22:44

I've been using my Mini M for years on my work laptop. I bought a new RPI2040 based controller for it and flashed QMK/VIAL on it within weeks of QMK/VIAL getting released.

Today, I am typing away, and some security tool tells me it disabled my network access for my protection. I get kicked off of VPN and my laptop loses all network connectivity.

Within minutes, my boss calls me and tells me I plugged a USB Ninja hacking tool into my laptop. He says he got an automated email and it says the device is called a "Unicomp Mini-M."

My boss knows what that is, finds a link to it on Unicomp's website, and sends it to the security team. Clearly, this is a false positive. I mean, I've been using this keyboard with QMK on it for months.

In the end, they agree to "unlock" my laptop, but told me I can never use the Mini-M on my work computer again.

kshopper2084 · 11 Jun 2024, 17:05

Such is the state of cybersecurity these days. Risks are too high to entertain your fancy custom keyboard. I don't blame them at all, sadly, they have an impossible job to fend off the bad actors and keep the company functioning at the same time.

Sucks though for sure.

ModelMenjoyer · 12 Jun 2024, 01:03

huh, never expected the rpi controller to interfere with the security system that way.

Lanrefni · 12 Jun 2024, 09:06

RPi are reprogrammable micro controllers,IT literally has no way of knowing if it's a Mini-M or hacking tool that looks like a Mini-M.
They are doing their jobs and that job is to be paranoiac about anything/everything touching the company network.

vvp · 12 Jun 2024, 13:17

Get a patch for your firmware so that the keyboard is behaving as a standard USB (boot) keyboard when connected to a PC. If you need extensions to the standard protocol then make them optional and activate them only when not connected to company PC. You may need to cheat on VendorId and ProductId as well. I would not be surprised if their glorified security scan only checks for VendorId/ProductId. It is a lame approach but it is simple.

Maybe switch your employer when they cannot give you an exception for your keyboard.

engr · 12 Jun 2024, 13:33

I just find it hilarious that of all the keyboards in the world the one they found suspicious was the last keyboard that is mass-produced here in the US by a successor to the IBM OEM manufacturer.

Not a random unnamed board from an Amazon seller named YZXYZOO, not a Franken-board hand-wired in a garage using totally legit components from Aliexpress, not a mysterious PS2-to-USB dongle from eBay, but a board by the effing UNICOMP.

AndyJ · 12 Jun 2024, 14:28

USB devices need software device drivers to work. Operating systems support a bunch of generic or common devices out of the box. Otherwise, the USB stick, keyboard, hard drive, scanner, etc. has device driver software built in. If the OS doesn't recognize the device, it queries if a driver is available, and then installs it.

By default, without prompting, in most cases.

At administrator/root access level.

That "finished installing your device" popup in Windows? You're already pwned if it was a malicious device.

Yes, there have been documented cases of malware in keyboards... but in this case, they let your computer log back in *after* you'd infected it with buckling-spring goodness. Which is a total WTF from a security standpoint; they're just being jerks.

apastuszak · 12 Jun 2024, 15:20

I wonder if the USB Ninja uses a RPI2040 Microcontroller.

apastuszak · 12 Jun 2024, 15:49

kshopper2084 wrote: ↑
11 Jun 2024, 17:05
Such is the state of cybersecurity these days. Risks are too high to entertain your fancy custom keyboard. I don't blame them at all, sadly, they have an impossible job to fend off the bad actors and keep the company functioning at the same time.

Sucks though for sure.

I just wonder what set it off NOW. I've been using this keyboard for years. And it worked fine for a few hours and then something happened that triggered the alert.

I've switched to a Bluetooth keyboard for now, but I would really prefer wired. The battery life of most Bluetooth keyboards is not very good.

I wonder if the USB Ninja false positive was because of the QMK firmware. I was debating pulling my PS/2 Model M out and using my Soarers Converter. I've used that for probably six months on this computer. But I don't need another "false positive" and a call from HR over my desire to type on a Model M.

apastuszak · 12 Jun 2024, 15:58

AndyJ wrote: ↑
12 Jun 2024, 14:28
USB devices need software device drivers to work. Operating systems support a bunch of generic or common devices out of the box. Otherwise, the USB stick, keyboard, hard drive, scanner, etc. has device driver software built in. If the OS doesn't recognize the device, it queries if a driver is available, and then installs it.

By default, without prompting, in most cases.

At administrator/root access level.

That "finished installing your device" popup in Windows? You're already pwned if it was a malicious device.

Yes, there have been documented cases of malware in keyboards... but in this case, they let your computer log back in *after* you'd infected it with buckling-spring goodness. Which is a total WTF from a security standpoint; they're just being jerks.

I could log in, but they killed all my network access. Had I been in the building, someone would show up at my desk and take my PC and peripherals and I would get them back after a complete scan of everything.

Once I changed keyboards, they remotely enabled my network access and I was good to go.

vvp · 12 Jun 2024, 19:51

apastuszak wrote: ↑
12 Jun 2024, 15:49
I just wonder what set it off NOW. I've been using this keyboard for years. And it worked fine for a few hours and then something happened that triggered the alert.

Based on your 1st post you updated controller and firmware on your keyboard recently. PC scans USB bus for the connected devices anytime an USB device is connected or when PC boots. How an USB device looks to the PC is defined in the device firmware - specifically the device descriptor the firmware sends to the PC. When you change the firmware then it will likely send a different descriptor and PC will think you connected a completely different device (keyboard).

vvp · 12 Jun 2024, 20:15

Here is the device descriptor for my keyboard:

Spoiler:

Code: Select all

Bus 001 Device 004: ID 1d50:6028 OpenMoko, Inc. Teensy 2.0 Development Board [ErgoDox Keyboard]
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            0 [unknown]
  bDeviceSubClass         0 [unknown]
  bDeviceProtocol         0 
  bMaxPacketSize0         8
  idVendor           0x1d50 OpenMoko, Inc.
  idProduct          0x6028 Teensy 2.0 Development Board [ErgoDox Keyboard]
  bcdDevice            1.10
  iManufacturer           1 andreae.gen.nz
  iProduct                2 K84CS USB Keyboard
  iSerial                 3 andreae.gen.nz:k84cs
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0044
    bNumInterfaces          3
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower               30mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           0
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0 [unknown]
      bInterfaceProtocol      0 
      iInterface              0 
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      1 Keyboard
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      64
          Report Descriptors: 
            ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               2
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      2 Mouse
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      67
          Report Descriptors: 
            ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               2
Device Status:     0x0000
  (Bus Powered)

It is likely your employer only looked at the descriptor. Maybe only VendorId and ProductId. Maybe they looked whether there is some vendor specific interface or some unusual interface protocol. E.g. to make my kebyboad look very standard I would need to:

remove the vendor specific interface
maybe remove the descriptor for the mouse
maybe fake VendorId & ProductId

Standard keyboard and standard mouse do not need any new driver. You may see windows claiming to install a driver for your standard keyboard or mouse but it only connects its own (already installed) standard human interface device driver to your device (VendorId/ProductId).

apastuszak · 13 Jun 2024, 13:35

I understand how it works. I just wonder why:

1. The updated controller was fine for months and suddenly it was not.
2. The software identified the mini-M as a USB Ninja, a hacking USB cable that can receive wireless commands to deliver a malicious payload. USB Ninjas are transparents to the OS. They look just like a USB cable to the operating system.

I wonder if soneone

AndyJ · 13 Jun 2024, 16:54

Tech support may have updated their malware detector software. The vendor may have a buggy database.

vvp · 13 Jun 2024, 21:39

... or maybe USB Ninja uses QMK (like) descriptor when triggered as a keyboard.

USB Ninja is transparent only when inactive (not triggered).

apastuszak · 13 Jun 2024, 21:41

vvp wrote: ↑
13 Jun 2024, 21:39
... or maybe USB Ninja uses QMK (like) descriptor when triggered as a keyboard.

Well that would suck. That would mean I can never use a USB QMK keyboard again.

vvp · 13 Jun 2024, 21:55

Use a different firmware or get a patch for QMK which will use a standard keyboard descriptor. You may lose some features (e.g. the Vial GUI will likely not work when the keyboard uses the standard descriptor). But the pathch can be done in such a way that you could activate full QMK functionality (i.e. also use the original QMK descriptor) only when you e..g. press some special key combination while the keyboard is powered up. Then you only need to remember not to press it while connecting to your work computer

I cannot really help you much. I do not use QMK. Last time I checked (around 2015) it was worse than my firmware of choice.

apastuszak · 13 Jun 2024, 22:03

I'm using the Nuphy Air75 V2 now over Bluetooth. It has QMK/VIA on it and that one hasn't set off any alarms. I'm not a huge fan of low profile keyboards. And I really don't like wireless keyboards. But it is what it is.

What's your firmware of choice?

vvp · 13 Jun 2024, 22:13

I use my branch of chrisandreae's firmware: https://github.com/hercek/keyboard-firmware

At the time I was deciding, it was the only one with the proper on-the-fly macro and remap features. A possibility to define macros/programs in a GUI application (likely something like Vial for QMK now) was only a minor bonus.

The Laptop Lagger · 16 Jun 2024, 20:02

I could totally see this happening with the active adapter I use for my XT keyboard at work, might just switch back to plain old PS/2 aha

Hak Foo · 18 Jun 2024, 07:44

I'm sort of surprised that my cavalcade of HID devices never gets any attention from the security team at work. The firmware on my keyboard identifies as a 'qmkbuilder Overton130', and there are two different trackballs hanging off.

I suppose that's part of the reason I haven't swapped in the newer model at my workstation; the default descriptor of my current firmware lists the manufacturer as "Galley-La Company", and everyone knows that they're a hopelessly compromised organization.

The VID/PID is also nonsense.

More seriously, I wonder if they'd consider the OLED visualization a keylogger.

On the other hand, the company Slack does have a keyboard-centric channel, and there are a few people with weird ergo builds, so exotic input is maybe to be expected. I recall someone had a Matias Quiet Pro on his desktop when I visited the head office pre-Covid.