#Company IT team preventing the use of the keyboard - security issue?

Hi!

I make keyboards for some customers.

For the build, I use RP2040 Pro Micro (Tenstar from Aliexpress)

In my firmware repo, I am using a CONVERT_TO=rp2040_ce. Also, I should say that I am using Vial, but the problem may not be related to it.

This is the second time someone has told me that they were using the keyboard at work and the IT team has warned them about it. The first time, the team confirmed the firmware was open source and there didn't seem to be any real issues. But the second time, they completely banned its use and even issued a warning.

The only information the IT team provided was that the system displays logs that appear to be coming from a Raspberry Pi. I know this is the technology used in the RP2040.

What could be causing this, and is there something I can modify in the firmware to fix it?

Is it something in the hardware that can't be changed? Is there an active debug setting? Perhaps communication with the computer to interact with the customization software?

What do you think?

You'll have to talk to your infosec team, only they know what they're looking for, and what they consider problematic.

All I can imagine is that bootloader is showing up as a USB mass storage device, and some infosec teams are allergic to USB mass storage devices.

They're your source of truth.

update: he also uses a Keychron and did not have any issues yet

ty

he is very cautious about it sadly, because works for a bank

The "less interesting" the device is, the less IT will even notice it.
Don't ever put it into bootloader while connected to the work machine.

I just found out both customers work in the same place. They will help each other and maybe I will get more feedbacks. Ty!

definitely do not enter bootloader mode in a highly monitored/secured environment

I think Vial could also conceivably be a no-no, though in principle it is more secure than VIA it still creates an unnecessary communication channel between the keyboard and the host, which under some circumstances could send private information

I've seen inventorying software that lists the via endpoint as a 5/10 risk because it doesn't know what it is.

pretty sure via technically is a keylogger, or could be used for one, due to the matrix tester

Not in recent builds, that was disabled

update: he also uses a Keychron and did not have any issues yet
bets on that board still having that issue

if it's VIA, sure, if it's the mass-storage bootloader, perhaps not

e.g. my work's infosec team give you a ring if you connect a USB stick to your work laptop

paranoia is strong with that mindset, likely moreso for financial institutions

how did VIA patch the keylogger?

no more matrix tester?

some companies definitely take it too far but it's hard to be too safe with these things when there's a lot of money on the line

They didn’t, we removed matrix tester, they haven’t spoken to us for more than 2 years so we removed it despite a fair few vulnerability reports falling on deaf ears

oh lmao

good choice ty QMK team

We’ve tried to be accommodating with them but they don’t respond 🤷

checks out that VIA literally does not care

wish we could all get along

such is open source

10th Nov 2022 was the last correspondence we’ve had with their core team, go figure