MantisTek GK2's Keyboard has built-in Keylogger

[goodtofufriday]

Quote

Multiple online user reports claim that the MantisTek GK2 mechanical keyboard's configuration software is sending data to an Alibaba server. One of the reports even includes an analysis of the software’s traffic, which seems to include typed keys.

 

The MantisTek GK2 is a cheap RGB mechanical keyboard from China that costs half as much (or less) as the mechanical keyboards from better known companies. Multiple gadgets that come from China seem to have either poor security or privacy issues caused by collecting user data without consumers' explicit permission. The MantisTek GK2 seems to be one of those products.

 

The main issue seems to be caused by the keyboard’s “Cloud Driver,” which sends information to IP addresses tied to Alibaba servers. Alibaba sells cloud services, so the data isn’t necessarily being sent to Alibaba, the company, but to someone else using an Alibaba server.

 

Source Article: http://www.tomshardware.com/news/mantistek-gk2-collects-typed-keys,35850.html

 

While the source article recommends steps to stop the keylogger, I believe you should just throw the thing away. Don't continue to use a product that uses such practices. I can't even comment that this is hard to believe as if you ever think you are saving money, well you are wrong. That monetary savings to you comes at a cost from somewhere else. In this case your private data. 

Be careful with no name brand devices, especially from china. Plain and simple.

[handymanshandle]

Damnit China, why you selling us keyboards that'll spy on us that aint cool.

[PCGuy_5960]

Why would anyone install a "Cloud Driver"? Keyboards don't need an internet connection.  

[Mooshi]

Not everyone can afford a branded mech keyboard so this really sucks people are this scummy.

[handymanshandle]

1 minute ago, PCGuy_5960 said:

Why would anyone install a "Cloud Driver"? Keyboards don't need an internet connection.  

Sure they can use an internet connection, for "stuff and things" that are "important".

[handymanshandle]

2 minutes ago, Mooshi said:

Not everyone can afford a branded mech keyboard so this really sucks people are this scummy.

To a point, I wonder if membrane is better than knock off mechanical switches.

[dizmo]

At least now you know why it was so cheap. They be selling your info. 

[handymanshandle]

7 hours ago, dizmo said:

At least now you know why it was so cheap. They be selling your info. 

And if you're in China or a country with censorship laws like China... You better not dare write anything dear leader(s) might not appreciate.

[mynameisjuan]

7 minutes ago, dizmo said:

At least now you know why it was so cheap. They be selling your info. 

Why sell it when you are literally giving them your bank login and password

[KenjiUmino]

21 minutes ago, PCGuy_5960 said:

Why would anyone install a "Cloud Driver"?

why? for the same reason people install a flashlight app on their phone that needs permission to access the internet ... 

 

... and your contacts of course

[Doobeedoo]

That's just really bad like oh wow. 

[Sniperfox47]

55 minutes ago, PCGuy_5960 said:

Why would anyone install a "Cloud Driver"? Keyboards don't need an internet connection.  

To be fair even Razer has a "Cloud Driver" (Synapse). Cloud backed configuration has been a primary selling point for a while now.

[JoeCoke]

1 hour ago, wcreek said:

Damnit China, why you selling us keyboards that'll spy on us that aint cool.

 

1 hour ago, Mooshi said:

Not everyone can afford a branded mech keyboard so this really sucks people are this scummy.

 

1 hour ago, wcreek said:

To a point, I wonder if membrane is better than knock off mechanical switches.

For anyone looking for a cheap mech keyboard, look at the Eagletec kg010. It's 40 bucks and it feels exactly like genuine mx blues. Oh yeah. And it doesn't spy on you, that's cool too.

[Spuriae]

Going to repeat my post on reddit:

 

This article is an example of terrible tech journalism. There is no keylogger, and they didn't even read the source; they just made things up based on a picture they didn't understand.

 

The data is the number of times each key has been pressed, and it's only sent once per session (whenever the software is restarted), presumably as an online heatmap backup. There's no malicious keylogger; the only bad thing going on here is that the heatmaps aren't encrypted.

 

Unfortunately, nobody on reddit and nobody at the news outlets (Tom's Hardware, DigitalTrends, Techpowerup) appears to have fully read the original post this all is based on. The author even says there isn't a keylogger a few posts later.

 

The person all these articles are citing as the source has written a follow-up on reddit here.

[dalekphalm]

21 minutes ago, Nimrodor said:

Going to repeat my post on reddit:

 

This article is an example of terrible tech journalism. There is no keylogger, and they didn't even read the source; they just made things up based on a picture they didn't understand.

 

The data is the number of times each key has been pressed, and it's only sent once per session (whenever the software is restarted), presumably as an online heatmap backup. There's no malicious keylogger; the only bad thing going on here is that the heatmaps aren't encrypted.

 

Unfortunately, nobody on reddit and nobody at the news outlets (Tom's Hardware, DigitalTrends, Techpowerup) appears to have fully read the original post this all is based on. The author even says there isn't a keylogger a few posts later.

 

The person all these articles are citing as the source has written a follow-up on reddit here.

Let's say that's correct.

 

It's still wrong.

 

You could potentially reconstruct some data using that info. It's also sent unencrypted, which is terrible. And finally, and most importantly, there was no consent. They didn't ask to collect and send that data.

[atrash]

If you're going to buy a cheap off brand mechanical keyboard, buy one without one of those fancy software included. I know mine doesn't have one and it only cost $30.

[suicidalfranco]

When China does it: it's wrong and you should kill yourself

When MS does it: it's telemetry and you're just being a tinfoil hat guy

[dalekphalm]

4 minutes ago, suicidalfranco said:

When China does it: it's wrong and you should kill yourself

When MS does it: it's telemetry and you're just being a tinfoil hat guy

There is a difference - Microsoft at least let's you know it's happening, when you go through the setup of Windows 10.

 

Plus just because one company does it, doesn't make it okay for another.

 

Furthermore, telemetry for an OS makes sense in a diagnostic sense. People I think are most caught off guard because a Keyboard should be a simple device with no online component at all.

[suicidalfranco]

1 minute ago, dalekphalm said:

People I think are most caught off guard because a Keyboard should be a simple device with no online component at all.

*cough razer synapse *cough

[dalekphalm]

Just now, suicidalfranco said:

*cough razer synapse *cough

Sure but at least that serves a function of backing up your config.

 

In either case, many people would no doubt be uncomfortable even with Razer Synapse.

[FinnFixitMan]

There is a new article on the the site "thehackernews.com" that people have found MantisTek GK2 Mechanical Gaming Keyboards recording the key strokes of the user (also known as a key-logger) and sending it to a server hosted by the "Alibaba Group" located in China.

Full article below. 

https://thehackernews.com/2017/11/mantistek-keyboard-keylogger.html

[vanished]

One more reason to be suspicious of cheap versions of products from unknown brands.

 

Actually there's a far more serious issue here than the fact some random keyboard has a keylogger.  It was sending it to Alibaba!?  Does that not mean this was their idea and they're running it?  This story shouldn't be "keyboard X has a keylogger", it should be "alibaba spies on customers by selling them malware infested products"

 

Edit: oh, maybe not.  This was missing from the OP above

Quote

  Alibaba sells cloud services, so the data isn’t necessarily being sent to Alibaba, the company, but to someone else using an Alibaba server.

 

This would be a good topic for WAN show actually since Linus has done cheap keyboard roundups/recommendations in the past

Edited November 7, 2017 by Ryan_Vickers

[FinnFixitMan]

Yeah it would be and I didn't even know that but i'm glad personally i have stuck with my old trusty Mac keyboard. lol

[LAwLz]

"It's OK because you can turn it off, by blocking it in a firewall"

"It's probably somewhere in the TOS so all the blame is on you. This is perfectly acceptable"

"I don't care that they know what I press on my keyboard, I am not an interesting person so they don't care about me anyway"

"It doesn't collect any personal information so you should not worry about it"

"Why does anyone care unless you're typing something illegal?"

"It's just telemetry data about how you use their keyboard. Nothing important."

"Just don't use a keyboard if you don't like it"

"Google and Facebook already knows what you type anyway"

 

Did I miss anything?

Seriously though, fuck this company. Even if it's "just how often you press a key", that's still too much. The way I look at it, sending data, any data at all, from my computer is a privilege that developers should earn. Can't justify to me why some data is leaving my computer? Then it has no business leaving my computer.

[vorticalbox]

7 hours ago, mynameisjuan said:

Why sell it when you are literally giving them your bank login and password

if there was a line in regards to data collection that woukd be just over it.