The Duck Stops Here: Building hid_guard — Catching Keystroke Injection at the Kernel Level
The article discusses building a HID-BPF security monitor for the Linux kernel to catch keystroke injection attacks. The author was inspired by a prank where a wireless Rubber Ducky device was used to inject keystrokes. Current userspace tools are not effective in preventing such attacks, so the author turned to the kernel level to understand how HID devices advertise themselves and how keystroke reports are structured. The author is now working on a project called hid_guard, which uses eBPF to monitor HID devices and prevent such attacks.