On June 06 a reddit post was made to a number of subreddits (r/netsec, r/pcmasterrace, r/mechanicalkeyboards) alleging that the Attack Shark R85 HE operates as a BadUSB device when plugged in and attempts to install a trojan, and perform infostealer operations such as stealing a LastPass vault and Microsoft credentials: r/pcmasterrace. Naturally, I had to see for myself so I immediately ran to amazon.ca to grab my own.
The Setup
Obviously since I’m not going to put this thing on a machine I care about, I grabbed a spare Dell XPS desktop I have kicking around, so that I can nuke it from orbit after the test. I installed and updated Windows (10), downloaded the drivers for the keyboard off the vendor’s site, and yanked the network cable and hucked it across the room (the cable that is, I’d like my walls to remain hole-free). I then clamped a spare camera with a magic arm to the back of the machine, so that we can film the process to toss on yt, so ensure the results can be reproducible. I will embed the video at the end of the post.
Results
So with all cameras rolling, I plugged in the keyboard to see it try to own me.
Nothing.
Gave it network (through a tethered burner), since I thought the moon runes might mean it was trying to reach out. Nothing. Translated it says it’s searching for the hardware.
Windows does not detect the keyboard as a keyboard, it does not go boopdaboop to signify a device has been added. Just a dead paperweight.
With my sample size of one, it does not appear that the keyboard is acting as a BadUSB device at all, unless mine’s a lemon what I do think is that the drivers are deliving the malware package.
That was anti-climactic. So at the end of the day, I do not believe the assumption that it’s operating as a badUSB device is entirely correct. If so, it seems to be a subset of devices. We’ll need further information when someone gets their hands on the keyboard belonging to the poster. Mine didn’t own me, but it’s also seemingly a paperweight, so something odd’s going on here. Either way I don’t know that I would trust this vendor, and I’d just grab a more known brand; it’s not worth gambling your data to save money on an input device.