[rollcat]

The standalone microcontroller in your physical keyboard can run arbitrary code, and it's been able to since we've invented keyboards attached to the computer via a port. What's there to stop the manufacturer (or a sophisticated attacker) from:

- recording your keystrokes in non-volatile memory, to be extracted later?

- exfiltrating them in real-time via Bluetooth (yay for wireless peripherals), WiFi, LoRa?

- asking the OS to install a driver, which (even if approved/signed) could have exploitable security holes?

The main hurdles are scale and sophistication, which, with an all-software "keyboard", were no longer an issue.

[tweetle_beetle]

Weren't (true) PS/2 keyboards exempt from all of that? Of course someone could always achieve the first one with enough effort, but it would be adding in lots of things from scratch rather than repurposing the existing hardware that many keyboards have now.

And PS/2 had a maximum draw of 100mA so even piggybacking on that would be challenging I'd assume(?) - not an expert. A Teensy which was benchmark for lots of custom keyboards can pull most of that [1].

[1] https://forum.pjrc.com/index.php?threads/teensy-3-6-vs-4-0-m...

[wcrossbow]

You can flash your own firmware which you can inspect. QMK and ZMK are two very popular options.

[dmd]

By "very popular", you mean "as many as 0.0001% of people worldwide use it", though.

[wcrossbow]

That's a gross underestimation. At current world population levels that comes out to be 8000 people. The QMK github repo alone has over 18k stars and almost 40k forks. So yeah very popular!

[dmd]

Ok, so let's be very generous and say 0.002% :) Very popular!

[throwaway290]

now exclude world population who is not using computers with separate keyboards in the first place. and maybe everyone who would not bother with firmware. in that context it's sorta popular. maybe even very.

[blueflow]

The same problem exists for the main processor as well. The issue persists.