Mitigate VIA keylogger security issues (#25414)

Co-authored-by: Nick Brassel <nick@tzarc.org>
2025-07-01 21:42:05 +00:00 · 2025-06-29 02:29:33 +01:00 · 2025-06-29 02:29:33 +01:00 · 711b109246
commit 711b109246
parent 6347d18a2d
3 changed files with 16 additions and 0 deletions
--- a/builddefs/common_features.mk
+++ b/builddefs/common_features.mk
@ -635,6 +635,9 @@ ifeq ($(strip $(VIA_ENABLE)), yes)
    RAW_ENABLE := yes
    BOOTMAGIC_ENABLE := yes
    TRI_LAYER_ENABLE := yes
+    ifeq ($(strip $(VIA_INSECURE)), yes)
+        OPT_DEFS += -DVIA_INSECURE
+    endif
 endif

 ifeq ($(strip $(RAW_ENABLE)), yes)
--- a/docs/ChangeLog/20250831/PR25414.md
+++ b/docs/ChangeLog/20250831/PR25414.md
@ -0,0 +1,5 @@
+# Mitigate VIA keylogger security issues [#25414](https://github.com/qmk/qmk_firmware/pull/25414)
+
+VIA's keyboard matrix testing functionality, which allows users to identify active key presses, has been identified as a potential security concern by community members and security researchers. This feature has been demonstrated to enable unauthorized keystroke capture, with documented examples showing how malicious scripts could exploit this capability to create keyloggers. A recent security assessment revealed that user credentials could be compromised by exploiting the matrix testing function combined with VIA's keycode assignment queries. In this attack scenario, a script could remain active during a locked session and capture password input when users authenticate upon return.
+
+The QMK team notified the VIA team of this security vulnerability on May 17, 2022, and made multiple subsequent attempts to coordinate a mitigation strategy. Despite repeated outreach, the VIA team has provided no acknowledgment or response to these security concerns. Given the severity of the potential security implications and the lack of engagement from the VIA team, the QMK team has unilaterally implemented a security enhancement that modifies the keyboard matrix testing functionality to prevent the reporting of key press events. This change prioritizes user security and data protection over potential feature compatibility concerns within VIA.
--- a/quantum/via.c
+++ b/quantum/via.c
@ -22,6 +22,10 @@
 #    error "DYNAMIC_KEYMAP_ENABLE is not enabled"
 #endif

+#ifdef VIA_INSECURE
+#    pragma message "VIA_INSECURE is enabled - firmware is susceptible to keyloggers"
+#endif
+
 #include "via.h"

 #include "raw_hid.h"
@ -318,7 +322,11 @@ void raw_hid_receive(uint8_t *data, uint8_t length) {
                    uint8_t rows   = 28 / ((MATRIX_COLS + 7) / 8);
                    uint8_t i      = 2;
                    for (uint8_t row = 0; row < rows && row + offset < MATRIX_ROWS; row++) {
+#ifdef VIA_INSECURE
                        matrix_row_t value = matrix_get_row(row + offset);
+#else
+                        matrix_row_t value = 0;
+#endif
 #if (MATRIX_COLS > 24)
                        command_data[i++] = (value >> 24) & 0xFF;
 #endif