How can I detect a keylogger keyboard?
I recently got an USB keyboard. I want to investigate if the microcontroller of the keyboard may host a keylogger and how it could interact with a Windows OS. My understanding is that, once Windows recognizes the USB device, it will get the appropriate driver from a secure Microsoft DB, so even if it is recording the key strokes, it cannot run by itself any SW to send them anywhere. I'm leaving aside the possibility of having a SW keylogger.
Is it possible that a USB keyboard could host a keylogger and that Windows could give it control to run a process to send the information to an address?
Regular USB keylogger keyboards that exfiltrate their data via Bluetooth or WiFi can easily be hidden inside a keyboard. The Bluetooth loggers require the attacker to come into range to dump their contents, but a WiFi based adapter that's pre-configured with a network key doesn't even require the attacker to be present to win. He can plug it in and let it sit there forever. Such keyloggers have been commercially available for many years. There are even open source implementations available from the NSA Playset project, which are devices designed to emulate the spy devices found in NSA's leaked and now infamous ANT catalogue. But now, there are new options that are even more sophisticated.
The BashBunny is a commercially available hardware implementation of a USB chameleon that performs these kinds of tasks; the USB Rubber Ducky is simply an Evil Keyboard Simulator. BashBunny works by running a small Linux computer that emulates generic USB keyboards, USB mass storage devices, USB serial ports, and/or USB network adapters. The emulated devices leverage the existing signed Windows drivers that are used by generic chipsets. Such devices can exfiltrate captured data via the victim PC simply by emulating a USB keyboard and typing instructions to send it elsewhere. Here's a simplistic example of how they could exfiltrate data through the victim PC. Imagine that the hidden USB device contains a data logger, and records your secrets for a day or two. (BashBunny does not contain a keylogger; it gets its data from scanning the host system. Of course it could install a keylogger, then harvest the data at a later time.) When it's time to send the data, it generates USB messages that contain keystrokes, but the user isn't typing them. By hitting R, then typing http://www.evilhax0rs.invalid/key_logger_dump_page.php* it can bring up a mostly empty-looking page with a hidden input box located so far down the screen that you need scroll bars to find it. Now, imagine the rogue keyboard hitting to slide the browser window completely off the screen, hiding it from the user's view. Next, the fake keyboard starts typing all its logged keystrokes into the input box (base64 encoded, naturally), and hitting when finished. Finally, after all the secrets have left the building, it types to restore the browser, then quickly types F4 to close the tab. Even if the user notices the windows popping up before sliding out of view, it can happen so fast the typical victim won't have the chance to figure out what's happening. As I said, these are commercially available and open source products you can buy today; the source code for the evil devices and the "ducky scripts" that do the phantom typing are all hosted on github.