A patch has been submitted to the Linux kernel mailing list proposing a new HID driver that would passively monitor USB keyboard-like devices and flag the ones that look like they're up to no good.
The driver is called hid-omg-detect, and it was proposed by Zubeyr Almaho.
The way it works is fairly clever. Rather than blocking anything outright, the module sits quietly in the background and scores incoming HID devices based on three signals.
Keystroke timing entropy, plug-and-type latency, and USB descriptor fingerprinting. The idea here is that a real human typing on a real keyboard behaves very differently from a device that was purpose-built to inject keystrokes the moment it's plugged in.
If a device's score crosses a configured threshold, the module fires off a kernel warning and points toward USBGuard as a userspace tool to actually do the blocking. Zubeyr adds that the driver itself does not interfere with, delay, or modify any HID input events.
This is already the second revision of the patch. The first pass got feedback on things like global state management and logging inside spinlock-held regions, all of which have been addressed in v2.
Is there a real threat?
The short answer is yes. The proposal explicitly calls out two threats, BadUSB and O.MG; both are worth knowing about.
BadUSB is the broader class of attack that was first disclosed back in 2014 by security researchers. It works by reprogramming the firmware on a USB device to impersonate a keyboard.
The operating system sees it as a perfectly normal input device, trusts it completely, and lets it do whatever its payload tells it to, be it open terminals, download malware, or exfiltrate data.
The O.MG Cable takes the same idea and hides it inside something that looks exactly like a regular USB cable. There's a tiny implant built into the connector that can inject keystrokes, log them, spoof USB identifiers to dodge detection, and be controlled remotely over WiFi.
Neither of these are making the headlines as often as they once did, but that doesn't mean the threat has gone away. Such tools have only gotten more refined and accessible, and malicious actors in 2026 are not getting any less creative or aggressive.
However, there's a big 'but' (not that you pervert) here. This is only a proposal, and while it looks good on the surface, the kernel maintainers have the final say in whether this makes it into Linux.
Via: Phoronix
