{"id":231627,"date":"2026-04-06T03:38:00","date_gmt":"2026-04-06T07:38:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/06\/a-new-linux-kernel-driver-wants-to-catch-malicious-usb-devices-in-the-act\/"},"modified":"2026-04-06T04:25:17","modified_gmt":"2026-04-06T08:25:17","slug":"a-new-linux-kernel-driver-wants-to-catch-malicious-usb-devices-in-the-act","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/06\/a-new-linux-kernel-driver-wants-to-catch-malicious-usb-devices-in-the-act\/","title":{"rendered":"A New Linux Kernel Driver Wants to Catch Malicious USB Devices in the Act"},"content":{"rendered":"<p><a href=\"https:\/\/itsfoss.com\/news\/linux-driver-proposal-malicious-hid-devices\/\">A New Linux Kernel Driver Wants to Catch Malicious USB Devices in the Act<\/a><\/p>\n<p><a href=\"https:\/\/itsfoss.com\/news\/linux-driver-proposal-malicious-hid-devices\/\">https:\/\/itsfoss.com\/news\/linux-driver-proposal-malicious-hid-devices\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-06 03:38:00<\/a><\/p>\n<p>Source Domain: <a href=\"itsfoss.com\">itsfoss.com<\/a><\/p>\n<p>A patch has been submitted to the Linux kernel mailing list proposing a new HID driver that would passively monitor USB keyboard-like devices and flag the ones that look like they&#8217;re up to no good.<\/p>\n<p>The driver is called <strong>hid-omg-detect<\/strong>, and it was proposed by Zubeyr Almaho.<\/p>\n<p>The way it works is fairly clever. Rather than blocking anything outright, <strong>the module sits quietly in the background and scores incoming HID devices<\/strong> based on three signals. <\/p>\n<p>Keystroke timing entropy, plug-and-type latency, and USB descriptor fingerprinting. The idea here is that a real human typing on a real keyboard behaves very differently from a device that was purpose-built to inject keystrokes the moment it&#8217;s plugged in.<\/p>\n<p>If a device&#8217;s score crosses a configured threshold, the module fires off a kernel warning and points toward USBGuard as a userspace tool to actually do the blocking. Zubeyr adds that the driver itself does not interfere with, delay, or modify any HID input events.<\/p>\n<p>This is already the second revision of the patch. The first pass got feedback on things like global state management and logging inside spinlock-held regions, all of which have been addressed in v2.<\/p>\n<h2 id=\"is-there-a-real-threat\">Is there a real threat?<\/h2>\n<p>The short answer is yes. The proposal explicitly calls out two threats, <strong>BadUSB<\/strong> and <strong>O.MG<\/strong>; both are worth knowing about.<\/p>\n<p>BadUSB is the broader class of attack that was <strong>first disclosed back in 2014<\/strong> by security researchers. It works by reprogramming the firmware on a USB device to impersonate a keyboard.<\/p>\n<p>The operating system sees it as a perfectly normal input device, trusts it completely, and lets it do whatever its payload tells it to, be it open terminals, download malware, or exfiltrate data.<\/p>\n<p>The O.MG Cable takes the same idea and hides it inside something that looks exactly like a regular USB cable. There&#8217;s a tiny implant built into the connector that can inject keystrokes, log them, spoof USB identifiers to dodge detection, and be controlled remotely over&#8230;<\/p>\n<p><a href=\"https:\/\/itsfoss.com\/news\/linux-driver-proposal-malicious-hid-devices\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A New Linux Kernel Driver Wants to Catch Malicious USB Devices in the Act https:\/\/itsfoss.com\/news\/linux-driver-proposal-malicious-hid-devices\/&#8230;<\/p>\n","protected":false},"author":1,"featured_media":231628,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/itsfoss.com\/content\/images\/2026\/04\/linux-driver-proposal-malicious-usb-detection.png","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,32,57],"class_list":["post-231627","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-malware","tag-security"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231627"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=231627"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231627\/revisions"}],"predecessor-version":[{"id":231629,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231627\/revisions\/231629"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/231628"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=231627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=231627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=231627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}