[BreachExchange] Mechanical keyboard maker accused of keylogging as customers examine software

Audrey McNeil audrey at riskbasedsecurity.com
Tue Nov 7 19:01:03 EST 2017


https://finance.yahoo.com/news/mechanical-keyboard-maker-accused-keylogging-
233846507.html

Jump on Amazon to perform a search for mechanical keyboards and the
cheapest solutions you find are sold by manufacturers you likely don’t
know. MantisTek is one of these lesser-known keyboard makers and is now
under fire for allegedly tracking the typed keys of those who own its GK2
mechanical keyboard, aka keylogging. This alleged tracking is done through
the included software, which sends information to a server maintained by
the Alibaba Group.

Typically, the software can be used to customize the keyboard’s RGB
illumination, lighting effects, and macro assignments. But a few owners are
reporting that the software sends data to an IP address owned by Alibaba. A
post stemming out of Asia provides a few more detailed bits, reporting that
MantisTek’s “cloud driver” is the responsible component sending data to a
specific address: 47.90.52.88.

If you enter that address in a browser, a Chinese login page appears along
with a link to Browse Happy. The page translates to “Cloud mouse platform
background management system,” and is maintained by Shenzhen Cytec
Technology Co., Ltd., which may or may not be a rechargeable battery maker
located in Shenzhen, China (Cytec doesn’t appear in a web search, but Cytac
does).

According to the report, the keyboard’s software sends keypress statistics
to two destinations at that IP address: “/cms/json/putkeyusedata.php” and
“/cms/json/putuserevent.php.” An analysis shows that all information is
crossing the internet in plain text, meaning its unencrypted and exposed to
anyone snooping on your internet connection. That means hackers — in
addition to MantisTek — can grab anything you type, including email
addresses, bank account numbers, and login credentials.

The best defense against MantisTek’s alleged keystroke snooping is to not
use the GK2’s included software. Based on the product information, you can
adjust the illumination and lighting effects manually on the keyboard using
a combination of keys. You can do the same when recording macros.

But if you wish for the software to remain installed, then block CMS.exe in
your firewall to prevent the software from sending and receiving
information over the internet. To do this in Windows 10, type “Windows
Firewall” into Cortana’s search field on the taskbar, click on “Windows
Defender Firewall with Advanced Security.” After that, add a new Inbound
and Outbound rule for CMS.exe.

Mechanical keyboards with virtually no security issues (that we know of)
are typically manufactured by high-profile companies such as Razer,
Corsair, Logitech, Roccat, Microsoft, Cooler Master, Thermaltake, and a few
others. But even with these products, installing software should only be
necessary if you want access to the keyboard’s core features. The less
software you install, the happier your PC will be.

To be clear, Alibaba isn’t collecting information from owners of the
MantisTek GK2 mechanical keyboard. The company provides cloud services, aka
Alibaba Cloud, including an elastic compute service, a virtual private
cloud, an analytic database, and anti-DDOS services. The “cloud driver” may
be silently collecting information for analytic purposes rather than
intentionally collecting sensitive information

Still, keylogging is unacceptable no matter the root intention.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171107/d9b281cc/attachment.html>


More information about the BreachExchange mailing list