HID: add malicious HID device detection driver

[PATCH v2 0/1] HID: add malicious HID device detection driver

Posted by Zubeyr Almaho 2 months, 1 week ago

Hi Jiri, Benjamin,

This series introduces hid-omg-detect, a passive HID monitor that scores
potentially malicious keyboard-like USB devices (BadUSB / O.MG style)
using:

- keystroke timing entropy,
- plug-and-type latency,
- USB descriptor fingerprinting.

When the configurable threshold is crossed, the module emits a warning
with a userspace mitigation hint (usbguard).

The driver does not block, delay, or modify HID input events.

Changes since v1:
- Replaced global list + mutex with per-device drvdata.
- Removed logging inside spinlock-held regions.
- Moved VID/PID lookup to probe() to avoid hot-path overhead.
- Switched logging to hid_{info,warn,err} helpers.
- Capped timing sample counter at MAX_TIMING_SAMPLES.
- Renamed file to hid-omg-detect.c for kernel naming conventions.

Thanks,
Zubeyr Almaho

---
 drivers/hid/hid-omg-detect.c | 435 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 435 insertions(+)

Re: [PATCH v2 0/1] HID: add malicious HID device detection driver

Posted by Greg KH 2 months, 1 week ago

On Sat, Apr 04, 2026 at 04:37:44PM +0300, Zubeyr Almaho wrote:
> Hi Jiri, Benjamin,
> 
> This series introduces hid-omg-detect, a passive HID monitor that scores
> potentially malicious keyboard-like USB devices (BadUSB / O.MG style)
> using:
> 
> - keystroke timing entropy,
> - plug-and-type latency,
> - USB descriptor fingerprinting.
> 
> When the configurable threshold is crossed, the module emits a warning
> with a userspace mitigation hint (usbguard).
> 
> The driver does not block, delay, or modify HID input events.

That's cute, but no need to get security@kernel.org involved as this is
a new feature, not a bug triage.

Also, why not just do this as an ebpf program instead as you have full
access to the hid data stream there?

thanks,

greg k-h