A developer has submitted a patch to the Linux kernel mailing list for a new driver that monitors USB keyboard-like devices for suspicious activity. The hid-omg-detect module scores devices based on typing patterns and other signals without interfering with normal input. If a device appears malicious, it issues a warning recommending the use of USBGuard for blocking.
Zubeyr Almaho proposed the hid-omg-detect driver, which passively observes Human Interface Device (HID) inputs from USB devices resembling keyboards. Submitted as the second revision, the patch addresses prior feedback on state management and logging practices from the initial version. Kernel maintainers will decide if it gets merged into the Linux kernel codebase, according to the proposal on the mailing list, as covered by Phoronix. The driver evaluates devices using three key metrics: keystroke timing entropy, the delay between plugging in and starting to type, and fingerprinting of USB descriptors. Legitimate human typing differs markedly from automated keystroke injection by malicious hardware. Upon exceeding a configurable score threshold, the module logs a kernel warning and suggests employing the userspace tool USBGuard for enforcement, without altering or delaying any input events. The patch targets threats like BadUSB, disclosed in 2014, where USB devices reprogram their firmware to mimic keyboards and execute payloads such as opening terminals or downloading malware. Another example is the O.MG Cable, which conceals a implant in a standard-looking USB cable to inject keystrokes, log data, spoof identifiers, and enable remote WiFi control. Proponents note that these attacks persist and evolve despite reduced media attention.