A new Linux kernel driver called hid-omg-detect is under development to passively monitor and detect malicious HID devices such as specially crafted keyboards and mice. Detection relies on factors like low keystroke timing entropy, immediate post-enumeration typing, and known suspicious vendor/product IDs and HID descriptor anomalies. The driver emits warnings when a suspicious device is detected and can work alongside USBGuard in user-space to block such devices, though the driver itself does not block or modify HID events. The patch series is currently under review on the Linux kernel mailing list.
Sort: