Student builds Linux kernel-level HID security tool after $6 USB attack demo
A cybersecurity club member built a wireless Rubber Ducky device using a $5–6 ESP32-S2 chip to demonstrate keystroke injection attacks at a college recruitment event in August–September 2025, drawing a record 60 sign-ups. After successfully running the same attack on his roommate, the developer began investigating why existing defenses failed to stop such threats. He found that userspace tools relying on device whitelisting or event monitoring react too slowly, as a malicious payload typically completes execution before any daemon can intervene. This led him to explore how the Linux kernel processes HID device input at a fundamental level, eventually turning to eBPF as a kernel-space solution. The result is hid_guard, a HID-BPF security monitor designed to intercept keystroke injection at the kernel level, with development documented in an ongoing series.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in