{"id":5438,"date":"2026-04-06T00:35:58","date_gmt":"2026-04-06T07:35:58","guid":{"rendered":"https:\/\/catbradley.io\/?p=5438"},"modified":"2026-04-06T00:35:58","modified_gmt":"2026-04-06T07:35:58","slug":"a-new-linux-kernel-driver-wants-to-catch-malicious-usb-devices-in-the-act","status":"publish","type":"post","link":"https:\/\/catbradley.io\/?p=5438","title":{"rendered":"A New Linux Kernel Driver Wants to Catch Malicious USB Devices in the Act"},"content":{"rendered":"<p>A patch <a href=\"https:\/\/lore.kernel.org\/lkml\/20260404133746.80914-1-zybo1000@gmail.com\/\">has been submitted<\/a> to the Linux kernel mailing list proposing a new <a href=\"https:\/\/en.wikipedia.org\/wiki\/Human_interface_device\">HID<\/a> driver that would passively monitor USB keyboard-like devices and flag the ones that look like they&#8217;re up to no good.<\/p>\n<p>The driver is called <strong><em>hid-omg-detect<\/em><\/strong>, and it was proposed by Zubeyr Almaho.<\/p>\n<p>The way it works is fairly clever. Rather than blocking anything outright, <strong>the module sits quietly in the background and scores incoming HID devices<\/strong> based on three signals. <\/p>\n<p>Keystroke timing entropy, plug-and-type latency, and USB descriptor fingerprinting. The idea here is that a real human typing on a real keyboard behaves very differently from a device that was purpose-built to inject keystrokes the moment it&#8217;s plugged in.<\/p>\n<p>If a device&#8217;s score crosses a configured threshold, the module fires off a kernel warning and points toward <a href=\"https:\/\/usbguard.github.io\/\">USBGuard<\/a> as a userspace tool to actually do the blocking. Zubeyr adds that the driver itself does not interfere with, delay, or modify any HID input events.<\/p>\n<p>This is already the second revision of the patch. The first pass got feedback on things like global state management and logging inside spinlock-held regions, all of which have been addressed in v2.<\/p>\n<h2>Is there a real threat?<\/h2>\n<p>The short answer is yes. The proposal explicitly calls out two threats, <strong>BadUSB<\/strong> and <strong>O.MG<\/strong>; both are worth knowing about.<\/p>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/BadUSB\">BadUSB<\/a> is the broader class of attack that was <strong>first disclosed back in 2014<\/strong> by security researchers. It works by reprogramming the firmware on a USB device to impersonate a keyboard.<\/p>\n<p>The operating system sees it as a perfectly normal input device, trusts it completely, and lets it do whatever its payload tells it to, be it open terminals, download malware, or exfiltrate data.<\/p>\n<p>The <a href=\"https:\/\/shop.hak5.org\/products\/omg-cable\">O.MG Cable<\/a> takes the same idea and hides it inside something that looks exactly like a regular USB cable. There&#8217;s a tiny implant built into the connector that can inject keystrokes, log them, spoof USB identifiers to dodge detection, and be controlled remotely over WiFi.<\/p>\n<p>Neither of these are making the headlines as often as they once did, <strong>but that doesn&#8217;t mean the threat has gone away<\/strong>. Such tools have only gotten more refined and accessible, and malicious actors in 2026 are not getting any less creative or aggressive.<\/p>\n<p>However, there&#8217;s a big &#8216;<em>but<\/em>&#8216; (<em>not that you pervert<\/em>) here. This is only a proposal, and while it looks good on the surface, the kernel maintainers have the final say in whether this makes it into <a href=\"https:\/\/www.kernel.org\/\">Linux<\/a>.<\/p>\n<p>Via: <a href=\"https:\/\/www.phoronix.com\/news\/hid-omg-detect-Malicious-HID\">Phoronix<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/feed.itsfoss.com\/link\/24361\/17314291.gif\" height=\"1\" width=\"1\" \/><\/p>","protected":false},"excerpt":{"rendered":"<p>A patch has been submitted to the Linux kernel mailing list proposing a new HID driver that would passively monitor USB keyboard-like devices and flag the ones that look like&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5438","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-rss"],"_links":{"self":[{"href":"https:\/\/catbradley.io\/index.php?rest_route=\/wp\/v2\/posts\/5438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/catbradley.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/catbradley.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/catbradley.io\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/catbradley.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5438"}],"version-history":[{"count":0,"href":"https:\/\/catbradley.io\/index.php?rest_route=\/wp\/v2\/posts\/5438\/revisions"}],"wp:attachment":[{"href":"https:\/\/catbradley.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/catbradley.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/catbradley.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}