Can a USB-based atack, e.g., BadUSB, RubberyDucky be detected by observing the output from dmesg?
I bought a brand new DFRobot Beetle, which is essentialy a miniaturized Leonardo.
A few seconds after plugging it in, the USB keyboard I'm using stops working. It's possible that it may have been caused by low power, but checking the output from dmesg, I noticed that the device is detected and disconnected three times without being physically moved.
What is most interesting is that Mfr and product changes twice:
[Tue Jan 15 09:42:54 2019]usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[Tue Jan 15 09:43:18 2019]usb 1-1.2: USB disconnect, device number 6
...
[Tue Jan 15 09:43:19 2019]usb 1-1.2: new USB device found, idVendor=2341, idProduct=0036
[Tue Jan 15 09:43:19 2019]usb 1-1.2: New USB device strings: Mfr=2, Product=1, SerialNumber=0
[Tue Jan 15 09:43:18 2019]usb 1-1.2: USB disconnect, device number 7
...
[Tue Jan 15 09:43:19 2019]usb 1-1.2: new USB device found, idVendor=2341, idProduct=8036
[Tue Jan 15 09:43:19 2019]usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
In addition, idProduct also changes briefly.
Initially, I thought maybe the had become loose and so was detected several times, but after rebooting and checking dmesg again, it was not shown to be disconnected even when I wiggled the device around in the USB port. The second set of values, i.e., Mfr=2, Product=1 and idVendor=2341, idProduct=0036 also never show up.
Is all this normal or is this possibly signs of a USB-based attack?
