Giving a Blackwidow it’s “Teensy” Fangs

Giving a Blackwidow it’s “Teensy” Fangs: How to Install Hardware Backdoors within Modern Keyboards

TLDR; It is very possible to place a Teensy within modern keyboards and mice as a hardware backdoors in order to implant a Trojan on a targets computer.

Warning #1: Please understand that working with electrical equipment and components is inherently dangerous. Burns, shocks, and electrical fires are fairly common when attempting to manipulate commercial/consumer grade electronics.

Warning #2: The author of this article claims no responsibility for personal harm or damage to personal property. This information is provided as is and without merit or warranty.


Some of our tougher targets have gotten very good at detecting and shutting down our normal social engineering attack vectors. In fact several are now able to systematically detect and shutdown our classic, emails, phone calls, and media drops Trojans. Once a client has established a strong defense against our standard attack vectors we are at somewhat of a loss as to how to approach social engineering. This has forced our team to come up with new and innovative ways to get in and get access.


My innovative idea is a new twist on an older poly idea, the hardware backdoor. Where one actually solders malicious hardware into another hardware system to gain access. This is normally done to subvert security controls such as drive encryption or to maintain access to a computing system.

However I’m not the NSA, nor am I am electrical engineering, so instead of attempting to compromise an entire computing system, I set out to simply place a hardware device within a keyboard. The idea being that I could purchase a few higher end keyboards, backdoor them, and send them out as gifts to targeted individuals. I quickly discovered a cheap Arduino based keyboard controller called Teensy and set out on my quest.

After conducting some further research, I quickly realized why we don’t see this attack vector being used in the wild. I won’t go into complete detail on every discovered issue, but a brief list is as follows.

  • Most keyboards are now soft-key using two sheets of conductive plastic and a rubber boot to trigger a key-press.
  • Space is normally very limited and many keyboard types such as soft-key don’t handle added pressure well.
  • Creating a custom keyboard or even a DYI 60% (uses a modern PCB with built in controller), is very time consuming and expensive.
  • Keyboards now use proprietary layouts and controllers which make tampering with them difficult.
  • Almost all mechanical and soft-touch keyboards are now made with a dual or triple layer PCB, adding literally layers of complexity.
  • Simply splicing a device in the middle of the USB connection creates added complexity by requiring the handling of serial timing, errors, and interrupters.

Needless to say, I had to simplify my plan even further. So I narrowed my focus to Cherry MX mechanical keyboards with built in USB hub ports. Since the Cherry MX keys are extremely sought after and conveniently take up quite a bit of space, it should be fairly easy to tuck the quarter sized Teensy into some free space. Additionally, if there is already a USB hub built into the keyboard controller, I can simply add the device inside by soldering the Teensy directly to the internal leads.

Note: Using this method is quick and dirty. It will take over said USB ports communication path and power channel. If another USB is plugged into the target port, best case scenario one of the two devices doesn’t power up, worst case you have yourself a nice little electrical fire. As such I would recommend clipping the pins or putting a plastic cover over the original USB hole.

The last step is simply programing the Teensy, which is somewhat out of the scope of this article, due to complexity and lack of one size fits all payload. However the Social Engineering Toolkit (SET) contains a great of code to use as a starting point (linked bellow in references).

Note: Creating payloads requires the Arduino IDE with the Teensy library’s, modules, and extensions installed. You also require direct access to the Teensy via a micro-USB cable. Meaning VMware and the aforementioned hub setup should be avoided when compiling and uploading your payload.

Blackwidow Photos

Unfortunately the project for which I backdoored the Razer Blackwidow Ultimate had a fairly tight time table and did not allow for me to get very good photos. Nonetheless, I’ve included two of the better photos I have of the Blackwidow, to show that the same techniques can be successfully applied to modern keyboards as well.

Showing the completed build out of the Blackwidow with the Micro-USB attached to the single set of USB leads on the builtin controller.
Teensy within Blackwidow

This photo shows the limited space within the Blackwidow shell. In fact the cable as to be flush with the PCB corner in order to get the case to close. Then the Teensy itself  has to be firmly placed in an angle between the row of F-keys and the back wall of the lower plastic frame. In future builds I’ll likely just shave/grind down the plastic frame and or PCB to make things fit more precisely.
Teensy tucked within Blackwidow

About the Teensy

The Teensy is a quarter sized fully programmable keyboard controller based on the open Arduino hardware standards. The Teensy allows for complete control over the keyboard, mouse, and touch screen via pseudo C code. It allows for roughly 30,000 lines of compiled code and roughly 60MB of on board storage, so we can accomplish quite a bit. It also is designed and built in such a way to allow for it to be easily extensible by offering 54 leads/pins for project flexibility. The Teensy also operates at as low as 3.3 volts with .25 amps and as high as 6 volts with 1 amp, making it robust enough to be connected directly to a powered or unpowered USB hub/port within a keyboard or mouse.
Offical Teensy Pin Layout

A Simplified How To Guide

The photos below are of a generic HP console keyboard being backdoored. This is simply because I happened to have it laying around and it awarded me the time and error tolerance required to provide detailed photos and guidance. As stated, they same steps can generally be followed on a Blackwidow, however the components are quite a bit smaller and space is more limited, making it much harder to work with and display.

The first step is fairly simple, just take all the screws out of the back of the keyboard and pop the back cover off. Just be very careful to not damage any of the components or parts, including the tiny plastic tabs that normally seal the edges.
Opening a Modern keyboard
Next identify the USB port to target by considering surrounding space and ease of access. Here I’ve chosen to use the forward set of pins since there is more space and avoids the lower screw hole/ground.
Viewing Configuration of onboard USB Hub
Next review the orientation and contacts of the female USB port to identify each lead against the USB standard. In this case the leads were on the lower portion of separator within the female USB port.These leads are just copper or aluminum that normally just have a 90 degree bend and connects straight down on the bottom of the board. In my case the leads simply passed straight through to the bottom USB port and were arranged in order from 1 to 4.
Viewing Pin-out of onboard USB Hub
Next cut a micro USB cable to the needed length, remove the shielding, remove the netting, untwist the wires, and strip the ends of each of the four wires. Then be sure to cut away all of the excess shielding and netting, so it doesn’t get in the way going forward.
Preparing USB wires for Teensy
In my case, each of the striped wires had dozens of tiny aluminum wires within them, instead of a single copper core. This can make keeping these wires together while soldering really annoying, but can also be used to your advantage by soldering the smaller wires together into a nice single bundle. The bundle makes soldering easier and the excess solder soaked up by the wires, normal removed to need to add additional solder when connecting the wires.
Combining Aluminum Wires Together
Once all the bundles are complete, they should all be soldered together and have a small ball on the ends. The ball on the end is used to quickly heat up each joint with the soldering iron and to quickly set the wire on the lead by holding it in place for a few seconds. If you are sensitive to heat, you may want to use some metal clips or helping hands.
Preparing Aluminum Wires
Be sure to double and triple check your solders against the USB wiring standard before testing, to avoid electrical fires.
USB Standards

Note: For those who may not know how to solder or need a refresher, I’ve included a info-graphic bellow that I think provides enough information to hit the group running.

Solder Guidance
Once all the wires are soldered into place, simply make sure none of the surrounding leads are jumped or damaged and then run some tests to verify the system works as intended. In my case I had an issue with the ground initially and the Teensy was not receiving power, so always test thoroughly.
Connecting Teensy to USB Hub
Once everything tests okay, find the best placement for the Teensy and secure the cable, Teensy, and solders with hot glue and/or electrical tape. In my case I had originally wanted to place my Teensy on the left side of the USB but the cable was too large for the sharp corner. Instead I carefully adjusted the cable over to the right under the USB hub cable.
Cleaning up Teensy Cable Connections
Once the Teensy and cable are secured in place, run some additional tests, to ensure nothing was damage then button everything up. Just note as stated earlier, you will need to remove the Teensy in order to properly connect it directly for development of your payload.
Hiding Teensy under USB Cable
The next image shows the Teensy hidden away under the USB hub cable. Just be careful about placing the Teensy on its face, as seen here, due to the payload launch button on the face. If its compressed it will continuously fire the payload until power is removed or all of the Teensy’s resources are locked up.

Teensy Under USB Hub Cable


As always I want to include references as a massive thank you to the community at large. I couldn’t have done this without their help, support, and knowledge.

PJRC makers of the Teensy:

USB Standard Pin-outs:

Teensy Payloads by TrustedSec:

Arduino References:

Blackwidow Disassembly video:

How to Solder:—through-hole-soldering

How I “Kinda” Won The BsidesIndy CTF

I’d first like to thank everyone who worked hard to make BsidesIndy so awesome. It was the first time I have every gone and from my understanding, the first time it has every occurred. Needless to say it was a stunning success in my book.

When I go to conferences I like to always make time to visit the capture the flag events. Sometimes I do really well, sometimes I do rather poorly, and sometimes I just meets some cool new people, but I always send time at there. Simply put, there is just a lot of learn from spending an hour or several competing against others within the same industry. As such, Bsides Indy was no exception. I showed up to the BsidesIndy CTF table ready to learn some new tricks and got all set up.

In the BsidesIndy CTF, competitors could register as either the blue (defensive) or red (offensive) team. So while I was waiting for my login credentials to be generated, I looked over the score board and noticed that there was not anyone on the red team. So I choose to register as the red team, and quickly noticed that many, if not all, of the individuals at the CTF table on either side of me were on the blue team. So I started by doing some nmap scans on the /24 network that was given to me to test, but I quickly noticed that many of the blue team members were just yelling up and down the table, with information about each of the boxes. So I listened in for a while and was able to learn the IP addresses and services of many of the boxes. I then noticed that the gentlemen beside me was having some issues getting his web services up on a box he was working on. So I deiced to help him out and what do you know, a few config files, iptables rules, and service restarts brings to web services back up. However when I was working with him, I noticed that he kept referencing a web pages for IP addresses, usernames, and passwords. So, after helping him repair the services on the second box, I simply asked for the URL of the web page he was using and he was more then happy to give it to me. I then spent the rest of the competition, gaining access to different Linux boxes, establishing persistence, and hunting for flag. By the end of the game, I had active beacons on 5 different systems (Unfortunately not displayed at the end of the competition, when the screen shot was taken) and possession of several of the flags. I’m honestly not even sure, if my original nmap scan even finished.

Screen Shot 2015-02-21 at 5.41.22 PM

My Honest Advice About Information Security Education

Now that I am a security professional and mentor, there is one question that still haunts me to this day. It’s that simple moment when an aspiring young hacker (formal use, as in enjoys figure out how things work), looks to the future and asks for advice in furthering their education. The question is normally placed in the form of “Where should I go to school?” or “What college do you recommend”. I hesitate to answer these types of questions, because honestly my answer would be none. I find it hard to bring myself to recommend any of the schools I’ve gone to or have heard of to an InfoSec geek like myself. In fact I wish someone would have sat me down a few years ago and told me the truth about prospects for education. Instead, I got the same old sales pitches for degree’s that severe all your needs, from the big universities. So, for anyone out there who is looking for barely honest advice on the topic of information security education, I offer up my experiences in clear text for your consumption.

The first and last piece of advice I would give anyone is that you will need to do a substance amount of learning on your own time. I don’t care what college one goes to, or what program they belong to, they will not cover the material you need to know to work in the field. Most of the schools I’ve heard of do not offer any classes in information security and if they do, it’s a theory class that goes to about the level of a CompTIA Security+ certification. I think there are two main causes of these issues, based upon the colleges I’ve attended. First Is just fear, they are scared of teaching the “dark arts” to students, because of both the legality that exists and the fact that students may use their knowledge for unethical means. The second is the shear lack of student interest, accreditation, and standardization that has led to a truly sluggish development of InfoSec course work. That being said, there has been a noticeable push by several government bodies to form a basis for preparing security professionals for the future. This effort, known as Centers of Academic Excellence in Information Security, is in its infancy and still only has the backing of a few large, slow-moving institutions. So needless to say, it stands to be quite a while before we see fully developed information security degrees. In fact based on speaking with several universities, I don’t expect to see a fully accredited Information Security Bachelor’s degree from a top 10 school until around 2020.

That being said, there is a real need in the current education landscape to supplement your education, with additional work outside the class room. The good news is for us InfoSec geeks, there is a lot of free and cost effective training out there for us. The bad news is, you will have to prove you were engages in it and/or justify it to any future employer.  This learning commonly takes place online and can be video lectures like those found on and Others can be rather cost effective courses taught by security professionals online, like Georgia Weidman, Joseph McCray, and Marcus Carey. I also highly recommend going to as well InfoSec conferences as possible as well, as they are a wealth of information and networking opportunities for a future career. Many of these conferences are free of charge, the bsides events, and many others have limit student rate tickets as well. Also be sure to get involved in as many of the InfoSec competitions as possible to brush up your skills. Some may require you to be a full time student at an accredited university, but still do as many as possible. Some of the major competitions for college students are CCDC, CyberWars, and NCL.

The other huge source of knowledge is technical certifications. These certifications can be a great learning opportunity and great proof of knowledge to an employer. However, in the Information Security Industry not all companies give certifications the same weight. In fact some may require you have or acquire a certification, while others many not even give you a pat on the pack for them. In fact, many certification exams have been getting easier and more expensive over the years as demand has gone up. This devalues the certification itself, and makes the cost much higher. For this reason, I recommend not getting cert happy while in school. As a side bar, I will recommend taking all certifications for any courses that will gain you credit for passing the certification exam itself. This will save you a signification amount of money and give you something else to really shine on a resume. There is nothing wrong with doing the course work for a certification and explaining that to an employer.  They will understand and you will find that a lot of employers will pay for certifications when you are in the work force. As such I recommend doing just that, if you take a course and like it, find the certification and study the material. Simply state you completed the course work on your resume instead of the certification itself and explain the cost barrier to any prospective employer. This makes a nice conversation piece during the interview process and will help with the cost. Just do not feel the need to go out and get all the certifications, they are rather costly to maintain and may not produce the desired result.

Now I would not necessarily say there is a requirement in this industry, to go to a collegiate institution. However from personal experience I will say many large corporations will require at least a 4 year degree before they will consider you. Most of the time however, the hiring process comes down to what you have done in the past and how you present that information to a hiring manager. Never the less if you are looking for a college or need to go, here are some helpful questions to find the right place.

  1. 1.       Does the college offer a course over open source software and operating systems (linux)?

This question is where I think many colleges currently fall short. Most universities I talked to, during my search for a school, were all about teaching Windows, Cisco, and Java.  These technologies may be the most common, but they will severally limit your abilities when it comes to a career in the field. I put Linux in as an example, because if they do not even teach an introduction to Linux you are going to be really hurting. The truth of the matter is most security professionals use Linux every day and develop their tools for it as well.

  1. How many courses do you have that relate to the security, integrity, confidentiality and availability of computer networks?

This question is almost self-explanatory, it seeks to drill down and ask how many courses you will get that will be directly related to your field. This will hopefully give you some additional information about the types of course you will be taking and how they might relate to your prospects for a career.

  1. Is there a student organization on campus that focuses computing, security, InfoSec, or Cyber Defense? If so, do they engage in competitions?

It is very import to be involved with active student organizations that exist on a school’s campus. In my experience these organizations offer more of a learning experience then most classes. If a school does not have any such organization it most likely is not that school for you. If it does, try and set up a meeting with several of the members. It is just as important to make sure you will mesh with any groups that exist there. Also check and see what professional or national organizations meet on campus or nearby, these groups will offer great networking opportunities and can be a good source of knowledge as well. Most importantly, figure out if any of the organizations participate in collegiate competitions. If they don’t, check with the dean or a few professors about the policies on engaging in such events. You might find that some school will not support these academic competitions and in which case, the school is probably not a good choice.

  1. Is this school accredited or do they do research in the realm of Information security?

Once again this will really speak to the quality of any program that exists at the prospective institution. Just be sure to ensure that the school holds a current version of the accreditation that they claim they have. If, they are doing information security research ask about the projects they are working on and who is involved. If it’s a single grad student or a professor who has an interest in security and are doing some research it might not be a good reason to go. Also be sure to check that the research is current and producing useable results, there is no reason to go to an institution with bad research practices.

  1. Are there any courses that require a certification for completion or follow a certification track?

As I stated earlier in my tangent about certifications, they are a double edged sword. If the institution focuses too heavily on certifications it may not be the best choice. However, on the other hand if they encourage and support their students in acquiring certifications as opposed to requiring it, they may very well be a good choice. Be sure to ask if they school has a certification center on campus. If they do, be sure to ask which certification companies they are contacted with. Also ask if vouchers or reduced rates are available for students.


Once you have chosen a university or school the next step is making the most out of the experience.  Now there are several ways to maximize your learning, and I will continue to update this list with more over time, but here are my top few.

  1. Get involved with student organizations and always strive to make them that one step better.
  2. Try your best to pass your knowledge on to the other students and expect the same in return.
  3. Find the professors who encourage you to orient your assignments toward your prospective career and take as many classes with them as possible.
  4. If your professor does not allow you to orient your work or doesn’t let you do it your way (and you still fulfill the assignment criteria), do it anyway, and if issues arise go straight to the dean.
  5. Try to get local or regional security professionals to give a talk at your institution.
  6. Never forget to have fun or you will burn out.
  7. Find internship opportunities and do the work you love.