Google company utility , allowing you to track and block carried out using malicious USB devices that simulate a USB keyboard to covertly substitute fictitious keystrokes (for example, during the attack there may be a sequence of clicks leading to opening a terminal and executing arbitrary commands in it). The code is written in Python and licensed under Apache 2.0.
The utility runs as a systemd service and can operate in monitoring and attack prevention modes. In the monitoring mode, possible attacks are identified and activity related to attempts to use USB devices for other purposes for input substitution is recorded in the log. In protection mode, when a potentially malicious device is detected, it is disconnected from the system at the driver level.
Malicious activity is determined based on a heuristic analysis of the nature of the input and the delays between keystrokes - the attack is usually carried out in the presence of the user and, in order for it to go undetected, simulated keystrokes are sent with minimal delays atypical for normal keyboard input. To change the attack detection logic, two settings are proposed: KEYSTROKE_WINDOW and ABNORMAL_TYPING (the first determines the number of clicks for analysis, and the second the threshold interval between clicks).
The attack can be carried out using an unsuspicious device with modified firmware, for example, you can simulate a keyboard in , , or (In a special utility is offered for substituting input from a smartphone running the Android platform connected to the USB port). To complicate attacks via USB, in addition to ukip, you can also use the package , which allows the connection of devices only from the white list or blocks the ability to connect third-party USB devices while the screen is locked and does not allow work with such devices after the user returns.
Source: opennet.ru