Posts: 382 +5
If you are the owner of a MantisTek GK2 mechanical keyboard, you may want to change your passwords. Users are reporting strange network connections being made by its accompanying software that point to an IP connected with Alibaba's cloud servers. A packet analysis shows that the data being sent to the Chinese server includes keys typed by the user.
This keyboard is extremely cheap and it looks like MantisTek is trying to offset the cost by selling its users' key press data. The physical keyboard itself is fine but the software package that comes with it is where the troubles lie.
The "Cloud Driver" software regularly sends packets to an IP tied to servers controlled under Alibaba. The Chinese e-commerce giant sells cloud computing services just like Amazon and Google so it's likely that they are not using the data directly. This data is also being sent as plaintext nonetheless.
Thankfully, stopping the keylogger is extremely simple. Disabling the Cloud Driver software from running in the background should do the trick. Another method is to block network access for the CMS.exe process in your firewall. This can be accomplished by adding a new outbound firewall rule for the Cloud Driver. Tom's Hardware recommends using the GlassWire network monitoring tool for those that want a one-click resolution method.
While most mainstream products are thoroughly vetted for privacy and security concerns, buying directly from the Chinese manufacturer does not always grant you this luxury. It's up to the consumer to decide if the cheaper price is worth the potential risk.