The crux of the problem is that any USB device, if so reprogrammed by a
hostile party, can suddenly start acting like a different USB device
class than it appears to be, and taking actions hostile to the
But you can also put the Raspberry Pi Zero into gadget mode and it can be plugged in and be a
HID device. (Maybe next Pi meeting someone would like to try) Though the Zero is small it is
not small enough to fool anyone.
I believe I've seen a few stabs at a hardware
countermeasure like a dongle you interpose between your computer's USB
port and an outboard device. You set a control on the dongle to permit,
say, only USB HID-class (human interface device, such as keyboard and
mouse) operations. If the device attempts to suddenly say to the host
computer 'OK, I'm actually a mountable mass storage device', the dongle
intercepts that USB instruction and doesn't allow it through. Likewise
if it's supposed to be a scanner, just a USB cable, etc., but upon
connection it says the host computer 'Actually, I'm an HID-class
device.' But I cannot remember where I saw that implemented, or
(actually) if I merely saw the idea discussed but not yet implemented.
Like a USB condom. But internet search brings up dongles that protect when plugging
But I have seen some USB devices that are also flash drives (with the needed Windows
drivers.) There are also some keyboards with integrated touchpads and so would present as
The Raspberry Pi Zero supposedly can be two gadgets at once.
Then there is the possibility of real maliciousness: USBkiller
I have just been thinking about power on USB because I have a small HDMI display with
5V input. And I thought to solder a USB cable instead. (Most of the time the display can get
enough juice from the HDMI) So I was looking at the spec to see if I would need to do
anything with the data lines of the cable. Then I thought USBkiller and of course someone
has already done it.
Btw I don't need to do anything with the data lines for display power. It is on the power