I have a topic/question that has been on my mind for a while now.
I was browsing through flea market electronics section one day and I noticed this pretty new keyboard. I looked specifications and it
even had ARM processor. It was pretty cheap too. This however raised my general question about safety of these devices. I don't know
much about how USB communicates with hardware so correct me if I state something wrong.
Using keyboard as point of reference(I think this might apply to almost every USB device), how easy would it be to modify this keyboard to do malicious actions(motives aside)? I would imagine that the easiest way would
be modifying keyboards firmware.
So let's say I plug this keyboard to my PC. It's Windows 7 32bit. I can imagine at least two scenarios:
Keyboard plugged while PC is off and then is turned on
At this point there is no OS managing the hardware so the malicious keyboard is communicating with CPU directly(correct me if I'm wrong).
You can install new OS from USB so you must have access to harddisk at this point so you could, for example plant rootkit there for kernel to load. Or just wipe the whole disk
Keyboard plugged while PC is on(OS is loaded)
Would this make difference the first scenario or does OS interfere some way? OS detects new devices so the device might disguise itself as someway or just
register itself as keyboard and let OS setup generic driver for it. If generic driver would be the case could this device still do whatever it wants?
How could one check if device is malicious? I imagine that there must be atleast some way to create sandbox which communicates with device and checks what instructions it send. However, this type of dynamic analysis does not always yield best results. Is there some way to perform static analysis on possible harmful usb device?