all blog now

May 18, 2024

What is HID Keyboard Device?

When a USB keyboard or mouse is detected in the Windows system, it may show up as an HID Keyboard Device. This is because the USB keyboards and mice follow a specific protocol that is defined by the Human Interface Device (HID) specification. The driver that manages these devices can be updated using the Device Manager tool in Windows. To do this, right-click the Start icon and select Device Manager. Then, expand the Keyboards and Mice section and right-click the USB HID Keyboard Device and select Update driver.

The HID protocol defines how these devices communicate with software. It specifies how each device can send output data based on the pressed or released state of a button. This information is encoded in a data packet that the device presents to the host. These data packets can be sent over a standard USB Setup Transaction with a one-byte data stage. The data stage is used to specify the purpose of each byte and bit in the packet. The host can then determine the status of a button by reading the contents of that packet.

Some HID devices have extra data fields in their report descriptors to add functionality that isn’t covered by the default HIDCardDeviceReport. For example, some keyboards may have a field to indicate whether the Caps lock modifier is active. This can be useful for games that use the index finger and thumb to invoke repetitive commands, such as pulling the trigger or activating an often used game function.

A malicious USB HID device can also be exploited by performing a so-called “HID attack.” These attacks are designed to intercept input from the victim’s computer and type out predefined commands at high speed. These attacks can be very difficult to detect, as they usually only result in a stutter or blip on the screen of the victim’s computer.

HID attacks can be very difficult to protect against, as they use standard USB communication protocols. This is why reliance is placed on technical defensive measures such as USB storage device blocking policies and end-point detection and response solutions.

The example below shows a USB based HID keyboard that uses the push buttons PB0 and PB1 to generate external interrupts that are used to notify the MCU of a button press or release event. The MCU then converts the reported character to an appropriate keycode, formats the report into a USB device notification, and transmits it to the host. The notification includes a timestamp and the identifier of the current keyboard element. The handleKeyboardReport method in the example driver overrides the inherited dispatchKeyboardEvent method and immediately dispatches any new reports to the system. This ensures that the application receives the earliest possible time-stamped events. It also prevents any unnecessary delays that might otherwise occur if the driver waited for each inherited dispatchKeyboardEvent method to complete before submitting new events to the system.