Security News Chinese Keyboard Maker Caught Tracking Typed Keys on Customer’s Computers

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Chinese mechanical keyboard manufacturer MantisTek has allegedly included keylogging capabilities in the software application offered to customers of its GK2 model.

Specifically developed to provide more customization options for RGB illumination and macros, the keyboard companion software can also track typed keys on the keyboard and send information to a server that’s being hosted on Alibaba Cloud.

A component described as “cloud driver” appears to be responsible for recording the keypresses and sending them to IP 47.90.52.88, with the data then stored in two different locations, namely /cms/json/putkeyusedata.php and /cms/json/putuserevent.php.

The worst thing is that the data is being transmitted unencrypted, which means that anyone who monitors the traffic of your Internet connection can intercept the logged information and see what you typed on the keyboard. Everything that is being typed on a MantisTek keyboard is being collected, including credit card information, personal data, and any other text that users input on websites or in documents.

Remove the software application
The weird thing is that trying to connect to the said IP address using a browser seems to point to a Chinese login page that also hosts a link to Browse Happy. The Chinese text on the page seems to point to a cloud mouse management system, so it could provide access to data collected by the keylogger.

At this point, there’s absolutely no official information on the keylogging capabilities of the software tool and MantisTek has obviously remained tight-lipped, but customers who purchased the said keyboard model are recommended to uninstall the companion application as soon as possible to make sure their keypresses aren’t logged and sent to the company.

Additionally, a firewall that can block the CMS.exe process can also help deal with the keylogger, though in this case users must be sure that all connections to the server are blocked.

As for those whose information has already been tracked, you better keep an eye on your bank accounts and personal details to detect any suspicious activity and report it to law enforcement.
 
F

ForgottenSeer 58943

Outrageous!! How can we be surprised, then, if from China come out backdoors, adware, and now keyboards with built-in keylogger!

In years of IT Engineering, I can tell you that I have NEVER seen a Chinese (IT) product (software/hardware) that didn't do some form of spying out of the box.

Of the last dozen Chinese Off-Brand IoT gear I have tested over the last 8 months 100% of them had backdoors of some type. This spans the generic, simple smart-plug, all of the way up to off-brand Chinese routers, switches and AP's. ALL OF IT. Most recently I discovered backdoors and phishing in the most popular Chat-App in Asia (WeChat). I ripped Maxthon up last year after I found spying involvement with it.

Remember, while so much stuff is manufactured in China, even Fortinet hardware is manufactured there, realize that in this case, this gear is carefully inspected, audited, Fortinet engineers are on the assembly line and the operating system (FortiOS, which is a classified trade secret) is programmed in the USA. We're talking about off-brand junk in most cases that is implicated here. China is very adept at ripping off industrial secrets, they are very adept at Form-Factor emulation. This is why you can buy GIRO Bike Helmets for $25 from China when the real ones cost hundreds, those $25 ones are made with left over packing foam from boxes and will shatter on impact. But the Chinese ripped off the form factor and trade secrets from GIRO then use substandard manufacturing and material. The assumption should be - virtually everything home-brewed in China or even by Chinese ex-pats is backdoored, substandard and prone to failure.

With no recourse from world consumers, manufacturers of this junk don't care.. But slap a backdoor in a Microsoft or Logitech keyboard and there are massive repercussions for the company.



This is the second time I have run across Alibaba Cloud this week.. Some garbage Chromium Clone I tested that someone posted about here also sent spy telemetry to Alibaba Cloud.

My solution is simple - policy geography block connectivity from my network to anything geographically close to China and call it a day..
 
Last edited by a moderator:

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Outrageous!! How can we be surprised, then, if from China come out backdoors, adware, and now keyboards with built-in keylogger!
Right, I lmfao every time someone posts a Chinese security software, or hardware for that matter, then proceed to tell me how awesome it is. I'm good you go ahead :p lol
 
F

ForgottenSeer 58943

Right, I lmfao every time someone posts a Chinese security software, or hardware for that matter, then proceed to tell me how awesome it is. I'm good you go ahead :p lol

Same here.. I always die a little inside when I see people promoting one of the Chinese AV softwares floating around.. Yup, go ahead..

Some guy at work brought in a $19 Smart Plug for me to see. I told him it was backdoored. He said it was small, cheap and didn't do anything but connect to an app to turn on and off the out.. 15 minutes of testing. Yup. Backdoored. ICMP sweeps of the network, DHCP exploration, exfiltration of data on entire network, device names/connected devices, operating systems, open ports, to Chinese IP addresses..
 
F

ForgottenSeer 58943

We were just talking (at work) about how everything seems compromised these days..

I brought up my little secret. I have a new-in-box but older exploit free model AIR-GAP laptop stored away with secured, encrypted linux on it. Chipsets that aren't compromised, etc. Someday in the future, I am sure my kids or someone else will be thankful for what will amount to a totally secure laptop they could use with virtually no risk.

At the least, I just keep it there for peace of mind knowing at any point in the future I can 'plug in' with a completely invulnerable system in an age when everything will likely be riddled with backdoors and spyware.

Sometimes I wonder how secure it would be to setup a BBS again and completely bypass the internet. :ROFLMAO:
 

mlnevese

Level 28
Verified
Top Poster
Well-known
May 3, 2015
1,742
We were just talking (at work) about how everything seems compromised these days..

I brought up my little secret. I have a new-in-box but older exploit free model AIR-GAP laptop stored away with secured, encrypted linux on it. Chipsets that aren't compromised, etc. Someday in the future, I am sure my kids or someone else will be thankful for what will amount to a totally secure laptop they could use with virtually no risk.

At the least, I just keep it there for peace of mind knowing at any point in the future I can 'plug in' with a completely invulnerable system in an age when everything will likely be riddled with backdoors and spyware.

Sometimes I wonder how secure it would be to setup a BBS again and completely bypass the internet. :ROFLMAO:

You just reminded me of the nice times of invite-only BBSs :)
 

Entreri

Level 7
Verified
May 25, 2015
342
I wouldn't trust any Chinese tech products, including the likes of Lenovo, forget about less well known and lower market value corporations in China.

Lenovo was caught spying a few years ago, who is to say they don't have firmware level or bios level spyware now?

This is a country that killed it's own babies for an extra buck (baby formula), nothing is sacrosanct.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top