A New Linux Kernel Driver Wants to Catch Malicious USB Devices in the Act
A New Linux Kernel Driver Wants to Catch Malicious USB Devices in the Act
https://itsfoss.com/news/linux-driver-proposal-malicious-hid-devices/
Publish Date: 2026-04-06 03:38:00
Source Domain: itsfoss.com
A patch has been submitted to the Linux kernel mailing list proposing a new HID driver that would passively monitor USB keyboard-like devices and flag the ones that look like they’re up to no good.
The driver is called hid-omg-detect, and it was proposed by Zubeyr Almaho.
The way it works is fairly clever. Rather than blocking anything outright, the module sits quietly in the background and scores incoming HID devices based on three signals.
Keystroke timing entropy, plug-and-type latency, and USB descriptor fingerprinting. The idea here is that a real human typing on a real keyboard behaves very differently from a device that was purpose-built to inject keystrokes the moment it’s plugged in.
If a device’s score crosses a configured threshold, the module fires off a kernel warning and points toward USBGuard as a userspace tool to actually do the blocking. Zubeyr adds that the driver itself does not interfere with, delay, or modify any HID input events.
This is already the second revision of the patch. The first pass got feedback on things like global state management and logging inside spinlock-held regions, all of which have been addressed in v2.
Is there a real threat?
The short answer is yes. The proposal explicitly calls out two threats, BadUSB and O.MG; both are worth knowing about.
BadUSB is the broader class of attack that was first disclosed back in 2014 by security researchers. It works by reprogramming the firmware on a USB device to impersonate a keyboard.
The operating system sees it as a perfectly normal input device, trusts it completely, and lets it do whatever its payload tells it to, be it open terminals, download malware, or exfiltrate data.
The O.MG Cable takes the same idea and hides it inside something that looks exactly like a regular USB cable. There’s a tiny implant built into the connector that can inject keystrokes, log them, spoof USB identifiers to dodge detection, and be controlled remotely over…
