
MantisTek GK2's Keylogger Is a Warning Against Cheap Gadgets - infodroid
http://www.tomshardware.com/news/mantistek-gk2-collects-typed-keys,35850.html
======
userbinator
My first thought is, why does a keyboard even need its own software? There's a
reason PS/2 and USB HID are standards...

I remember purchasing an HP printer a while ago --- it came with a CD full of
useless crap, including drivers that took a full 400MB installer containing,
among other things, a JVM, Apache Tomcat, and a bunch of other Java-based
bloat for the "management UI". I just used the OS generic HP/PCL driver and
it's been working that way since. I have heard that even those drivers phone
home now, to report how many pages were printed and ink levels etc.

Telemetry --- it's in everything now, and this greatly disgusts me. No doubt
it's probably buried somewhere deep in the EULA for this keyboard's software,
that you agreed to the collection of "aggregate key usage information" or
similar. Read the Windows 10 EULA for some similarly creepy wording.

Also, if you're paranoid about USB keyboards containing other "hidden
devices", a USB-PS/2 adapter would probably work to stop anything else from
getting through.

~~~
jml7c5
>why does a keyboard even need its own software?

Setting macros and controlling lights (each key has an RGB light hidden under
it).

------
JetSpiegel
> These days, most products are made in China, but usually some other local
> company acts as an intermediary to ensure that the product is developed to
> specification and without other "features" that shouldn't be there. However,
> this additional protection goes out of the window when people decide to
> purchase directly from Chinese manufacturers via Chinese marketplaces.

Come on, it's not like American manufacturers are a paragon of user privacy,
was this jingoistic jab necessary?

"Obscure manufacturer screws up" doesn't imply "Chinese engineers are
completely worthless".

~~~
userbinator
Indeed, just Google "Windows 10 keylogger" and see what Microsoft put in the
OS itself...

Some "obscure manufacturer" collecting this information gets a "warning"
article, yet Microsoft, who is probably collecting the same if not even more
detailed information about what you type _and everything else_ , generated
plenty of "telemetry is good for you" articles instead? Something doesn't seem
right here...

------
problems
Not exactly just against cheap gadgets - remember the Connexant keylogger from
earlier this year? It seems to be a common thing for driver developers to log
keypresses for development purposes yet fail to disable that functionality in
release... easiest fix? Don't install closed source drivers for 3rd party
hardware.

[https://www.modzero.ch/advisories/MZ-17-01-Conexant-
Keylogge...](https://www.modzero.ch/advisories/MZ-17-01-Conexant-
Keylogger.txt)

~~~
monochromatic
That's the easiest fix unless it's hardware you need, or it's your work
computer, or or or or...

~~~
nerdponx
If it's your work computer then all bets are off. It's your employer's privacy
at stake, not yours. Moreover you shouldn't ever consider your activity on
your work computer "private" since your employer can and probably does monitor
your usage.

~~~
monochromatic
That’s all true. I’m just saying it’s not always practical to avoid closed
source code.

------
singularity2001
Warning against cheap keyloggers: Get expensive high quality keyloggers from
Microsoft, Google etc.

------
moonman272
In plaintext, this is the donald trump of malware.

------
retSava
Read the original posts and saw the package capture screenshot. It seems like
it sends stats on how many keypresses there are on a key-by-key basis, not an
actual keylogger (ie it doesn't send the content of what you sent).

It sends this in cleartext over http, not https. Again, not the content of
what you type, so your url+user/pw is not sent (at least not according to what
is known now).

~~~
jnbiche
To be clear, if they're sending real-time updates on the keypress counts of
each key, it's quite simple to map that to a traditional key logger (ie, the
contents of what you typed).

~~~
ac2u
Was it confirmed realtime though? Could have been batched, which makes it
harder to reconstruct what was typed.

Even that's a step too far though, but clarification can help draw the line
between careless and malicious.

