Zubeyr Almaho has been leading work on a new HID driver named hid-omg-detect with an intent on passive monitoring to watch out for any malicious HID devices being connected to the system.
The hid-omg-detect kernel module attempts to detect any malicious HID devices like specially crafted keyboards and mice . Detection is currently based on factors like low keystroke timing entropy, immediate post-enumeration typing, and known suspicious vendor/product IDs and HID descriptor anomalies.
With this driver there is a configurable threshold and if such a device is believed to be malicious, it would emit a warning and paired with the likes of USB Guard in user-space could then block the device. The hid-omg-detect driver doesn’t block any devices itself nor modify HID events or delay them.
It’s an interesting driver addition currently under review and consideration on the mailing list.
Those concerned about potentially malicious HID devices being connected to your systems or just curious about hid-omg-detect can find all the details on this driver via the patch series on the Linux kernel mailing list.
