{"id":384395,"date":"2026-04-06T08:28:09","date_gmt":"2026-04-06T08:28:09","guid":{"rendered":"https:\/\/www.newsbeep.com\/ie\/384395\/"},"modified":"2026-04-06T08:28:09","modified_gmt":"2026-04-06T08:28:09","slug":"a-new-linux-kernel-driver-wants-to-catch-malicious-usb-devices-in-the-act","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/ie\/384395\/","title":{"rendered":"A New Linux Kernel Driver Wants to Catch Malicious USB Devices in the Act"},"content":{"rendered":"<p>              <a href=\"https:\/\/www.warp.dev?utm_source=its_foss&amp;utm_medium=display&amp;utm_campaign=linux_launch\" target=\"_blank\" rel=\"nofollow noopener\"><img decoding=\"async\" src=\"https:\/\/www.newsbeep.com\/ie\/wp-content\/uploads\/2025\/12\/warp.webp.webp\" alt=\"Warp Terminal\"\/><\/a><\/p>\n<p>A patch <a href=\"https:\/\/lore.kernel.org\/lkml\/20260404133746.80914-1-zybo1000@gmail.com\/?ref=itsfoss.com\" rel=\"nofollow noopener\" target=\"_blank\">has been submitted<\/a> to the Linux kernel mailing list proposing a new <a href=\"https:\/\/en.wikipedia.org\/wiki\/Human_interface_device?ref=itsfoss.com\" rel=\"nofollow noopener\" target=\"_blank\">HID<\/a> driver that would passively monitor USB keyboard-like devices and flag the ones that look like they&#8217;re up to no good.<\/p>\n<p>The driver is called hid-omg-detect, and it was proposed by Zubeyr Almaho.<\/p>\n<p>The way it works is fairly clever. Rather than blocking anything outright, the module sits quietly in the background and scores incoming HID devices based on three signals. <\/p>\n<p>Keystroke timing entropy, plug-and-type latency, and USB descriptor fingerprinting. The idea here is that a real human typing on a real keyboard behaves very differently from a device that was purpose-built to inject keystrokes the moment it&#8217;s plugged in.<\/p>\n<p>If a device&#8217;s score crosses a configured threshold, the module fires off a kernel warning and points toward <a href=\"https:\/\/usbguard.github.io\/?ref=itsfoss.com\" rel=\"nofollow noopener\" target=\"_blank\">USBGuard<\/a> as a userspace tool to actually do the blocking. Zubeyr adds that the driver itself does not interfere with, delay, or modify any HID input events.<\/p>\n<p>This is already the second revision of the patch. The first pass got feedback on things like global state management and logging inside spinlock-held regions, all of which have been addressed in v2.<\/p>\n<p>Is there a real threat?<\/p>\n<p>The short answer is yes. The proposal explicitly calls out two threats, BadUSB and O.MG; both are worth knowing about.<\/p>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/BadUSB?ref=itsfoss.com\" rel=\"nofollow noopener\" target=\"_blank\">BadUSB<\/a> is the broader class of attack that was first disclosed back in 2014 by security researchers. It works by reprogramming the firmware on a USB device to impersonate a keyboard.<\/p>\n<p>The operating system sees it as a perfectly normal input device, trusts it completely, and lets it do whatever its payload tells it to, be it open terminals, download malware, or exfiltrate data.<\/p>\n<p>The <a href=\"https:\/\/shop.hak5.org\/products\/omg-cable?ref=itsfoss.com\" rel=\"nofollow noopener\" target=\"_blank\">O.MG Cable<\/a> takes the same idea and hides it inside something that looks exactly like a regular USB cable. There&#8217;s a tiny implant built into the connector that can inject keystrokes, log them, spoof USB identifiers to dodge detection, and be controlled remotely over WiFi.<\/p>\n<p>Neither of these are making the headlines as often as they once did, but that doesn&#8217;t mean the threat has gone away. Such tools have only gotten more refined and accessible, and malicious actors in 2026 are not getting any less creative or aggressive.<\/p>\n<p>However, there&#8217;s a big &#8216;but&#8217; (not that you pervert) here. This is only a proposal, and while it looks good on the surface, the kernel maintainers have the final say in whether this makes it into <a href=\"https:\/\/www.kernel.org\/?ref=itsfoss.com\" rel=\"nofollow noopener\" target=\"_blank\">Linux<\/a>.<\/p>\n<p>Via: <a href=\"https:\/\/www.phoronix.com\/news\/hid-omg-detect-Malicious-HID?ref=itsfoss.com\" rel=\"nofollow noopener\" target=\"_blank\">Phoronix<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"A patch has been submitted to the Linux kernel mailing list proposing a new HID driver that would&hellip;\n","protected":false},"author":2,"featured_media":384396,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[61,60,80],"class_list":{"0":"post-384395","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-ie","9":"tag-ireland","10":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/posts\/384395","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/comments?post=384395"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/posts\/384395\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/media\/384396"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/media?parent=384395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/categories?post=384395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/ie\/wp-json\/wp\/v2\/tags?post=384395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}