This is a solution to a real problem, if it works as stated. Hardware key loggers and key injectors are very real attacks and this offers some protection.
HDMI virus protection serves its use in parting fools from their money.
This, on the other hand, helps protect a computer against things like "evil maid attacks". There's actually a legitimate use for securing everything humanly possible.
But yes, the entire security industry's motto is "solutions looking for problems". Without creating boogeymen, they wouldn't be able to make a living.
I’m no expert but I think KISS is a tenet of security. By adding in software layers you increase your attack surface. What’s best is to physically secure your computers, make sure you trust who you get your computer parts from and the manufacturers of those parts, and have competent IT.
You’re trading trust of one company for another. How do you know that the software implementation on these keyboards isn’t horribly insecure? It’s a cool concept and on the surface seems well executed, but I’d be nervous if I was relying on it.
KISS is not a blanket philosophy that is equally applied everywhere. By that standard we shouldn't use encryption, it's far simpler to operate without it and reduces your attack surfaces. Of course at that point no significant effort ever needs to be made to steal data at all...
In an ideal world yes you can perfectly secure every device with access to your network and ensure everyone with access can be perfectly trusted. We don't live in that world. In the real world not everything is under our control, and while we should avoid security that is either snake oil or that in its complexity can reduce network security (for instance, network security black boxes), ensuring end to end encryption that gets as close to each 'end' as possible is a wise approach.
When designing a security architecture, the assumption is that any given mitigation will be breached at some point, so the goal is to ensure two things: 1) that once breached there is another layer behind it, and 2) that data is compartmentalized so that at each failure only the minimum necessary data is able to be accessed.
What Cherry is attempting to do here does solve a real issue in physical security. That said, it needs to be audited to determine if it has been implemented correctly or not.
Everything you listed doesn't protect you from a janitor or guest that sticks a hardware keylogger on the computer. Unless you physically lock your computer in the safe at night they are exposed to this type of attack.
Keyloggers are extremely tiny, most people wouldn't even notice them hooked up. They even come in things that look like legitimate powerstrips and other normal desk items. You should investigate it if you didn't realize this, because no amount of careful hardware selection will protect you from this type of attack unless you are physically locking up the computers at when not in use. This product offers a solution to this by possibly locking the only keyboard connection to the supplied keyboard and encrypting all it's traffic to prevent character insertion.
Companies and government agencies with heavy security requirements are likely to use something like this to prevent these type of attack possibilities and there is a TON of specialty hardware available on the open market to execute these types of attacks.
No one needs to create boogeymen. There are boogeymen. There are a lot of them, in fact, and they are using every little opening they can find to get into systems.
@Anton (OP), Linux is more widely used in commercial space than you realize. I encourage you to step out of your Windows cage and explore the free air. Talk to companies that make Real Things (eg. defense contractors) and you'll find they use Linux for not only backend but for front ends, too.
I have to wonder about "encrypting each keystroke" though - statistical analysis can figure out what keys are actually being pressed if timing is recorded, too. To combat this, it would need to bundle multiple keystrokes and send them not in perfectly real time, which would be painful for all but the fastest typists.
I think one of the main purposes is that once the OS has loaded the drivers for their secure mode, it no longer accepts input from other USB HID (03h) devices. This thwarts attempts to inject keystrokes using malicious devices (Rubber Ducky), or simply to access the computer by connecting a regular keyboard. This probably also means you can't use a mouse on such a computer - maybe one of the reasons why Windows support was not the highest priority.
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
24 Comments
Back to Article
RadiclDreamer - Tuesday, December 3, 2019 - link
Wow, talk about a solution looking for a problem.This looks about as useful has the HDMI cables with virus protection built in...
jordanclock - Tuesday, December 3, 2019 - link
This is a solution to a real problem, if it works as stated. Hardware key loggers and key injectors are very real attacks and this offers some protection.III-V - Tuesday, December 3, 2019 - link
HDMI virus protection serves its use in parting fools from their money.This, on the other hand, helps protect a computer against things like "evil maid attacks". There's actually a legitimate use for securing everything humanly possible.
But yes, the entire security industry's motto is "solutions looking for problems". Without creating boogeymen, they wouldn't be able to make a living.
willis936 - Tuesday, December 3, 2019 - link
I’m no expert but I think KISS is a tenet of security. By adding in software layers you increase your attack surface. What’s best is to physically secure your computers, make sure you trust who you get your computer parts from and the manufacturers of those parts, and have competent IT.You’re trading trust of one company for another. How do you know that the software implementation on these keyboards isn’t horribly insecure? It’s a cool concept and on the surface seems well executed, but I’d be nervous if I was relying on it.
Reflex - Tuesday, December 3, 2019 - link
KISS is not a blanket philosophy that is equally applied everywhere. By that standard we shouldn't use encryption, it's far simpler to operate without it and reduces your attack surfaces. Of course at that point no significant effort ever needs to be made to steal data at all...In an ideal world yes you can perfectly secure every device with access to your network and ensure everyone with access can be perfectly trusted. We don't live in that world. In the real world not everything is under our control, and while we should avoid security that is either snake oil or that in its complexity can reduce network security (for instance, network security black boxes), ensuring end to end encryption that gets as close to each 'end' as possible is a wise approach.
When designing a security architecture, the assumption is that any given mitigation will be breached at some point, so the goal is to ensure two things: 1) that once breached there is another layer behind it, and 2) that data is compartmentalized so that at each failure only the minimum necessary data is able to be accessed.
What Cherry is attempting to do here does solve a real issue in physical security. That said, it needs to be audited to determine if it has been implemented correctly or not.
willis936 - Tuesday, December 3, 2019 - link
KISS does apply to security. The most secure computer system is one that doesn't exist.Reflex - Tuesday, December 3, 2019 - link
I mean, I guess you can choose to look at it that way?nathanddrews - Wednesday, December 4, 2019 - link
My non-existent Mac will never get a virus. It also can't play games. Fair trade-off.BurntMyBacon - Thursday, December 5, 2019 - link
@nathanddrews: "My non-existent Mac will never get a virus."Sounds like a plus.
@nathanddrews: "It also can't play games."
Nothing new here.
@nathanddrews: "Fair trade-off."
I'm not seeing the downside. I too shall augment my security at no detriment to gaming by making my Mac non-existent. (o_O)
rahvin - Tuesday, December 3, 2019 - link
Everything you listed doesn't protect you from a janitor or guest that sticks a hardware keylogger on the computer. Unless you physically lock your computer in the safe at night they are exposed to this type of attack.Keyloggers are extremely tiny, most people wouldn't even notice them hooked up. They even come in things that look like legitimate powerstrips and other normal desk items. You should investigate it if you didn't realize this, because no amount of careful hardware selection will protect you from this type of attack unless you are physically locking up the computers at when not in use. This product offers a solution to this by possibly locking the only keyboard connection to the supplied keyboard and encrypting all it's traffic to prevent character insertion.
Companies and government agencies with heavy security requirements are likely to use something like this to prevent these type of attack possibilities and there is a TON of specialty hardware available on the open market to execute these types of attacks.
JanW1 - Wednesday, December 4, 2019 - link
"How do you know that the software implementation on these keyboards isn’t horribly insecure?"By reading the source code. Look up "libsecureboard" on Github.
jordanclock - Tuesday, December 3, 2019 - link
No one needs to create boogeymen. There are boogeymen. There are a lot of them, in fact, and they are using every little opening they can find to get into systems.mooninite - Tuesday, December 3, 2019 - link
@Anton (OP), Linux is more widely used in commercial space than you realize. I encourage you to step out of your Windows cage and explore the free air. Talk to companies that make Real Things (eg. defense contractors) and you'll find they use Linux for not only backend but for front ends, too.brucethemoose - Wednesday, December 4, 2019 - link
I bet a significant chunk of professional programmers use Linux as their primary OS as well.drexnx - Tuesday, December 3, 2019 - link
>only works on Linux>still has a windows key
hmmmm
jordanclock - Tuesday, December 3, 2019 - link
Secure Mode only works in Linux, but the keyboard can be used as a regular keyboard on any operating system.GreenReaper - Tuesday, December 3, 2019 - link
I bet if you use Cinnamon's Windows 10 theme, it will work to open the Start menu: https://cinnamon-spices.linuxmint.com/themes/view/...rahvin - Tuesday, December 3, 2019 - link
You don't actually think the "windows" key has no purpose outside windows do you?CharonPDX - Tuesday, December 3, 2019 - link
I have to wonder about "encrypting each keystroke" though - statistical analysis can figure out what keys are actually being pressed if timing is recorded, too. To combat this, it would need to bundle multiple keystrokes and send them not in perfectly real time, which would be painful for all but the fastest typists.GreenReaper - Tuesday, December 3, 2019 - link
Ah, but if they type fast enough, it might be able to compress them and *increase* the bandwidth!jordanclock - Tuesday, December 3, 2019 - link
Padding and forward secrecy would protect against such an attack without having to do anything weird with inputs.JanW1 - Wednesday, December 4, 2019 - link
I think one of the main purposes is that once the OS has loaded the drivers for their secure mode, it no longer accepts input from other USB HID (03h) devices. This thwarts attempts to inject keystrokes using malicious devices (Rubber Ducky), or simply to access the computer by connecting a regular keyboard. This probably also means you can't use a mouse on such a computer - maybe one of the reasons why Windows support was not the highest priority.kalgriffen - Tuesday, December 3, 2019 - link
Or they can send a continuous stream of data and embed the keystrokes within the stream.quadibloc - Monday, January 13, 2020 - link
Something like this would be more generally useful in the case of a wireless keyboard.