Hardware-based remote access devices, including IP-KVM platforms, commonly emulate generic USB HID peripherals in order to inject keyboard and mouse input into a host system. When connected, these devices are typically recognized by the operating system as standard keyboards or mice, allowing them to interact with the system without requiring specialized drivers or software.

Many IP-KVM platforms intentionally present themselves as generic HID devices to maximize compatibility across operating systems. By enforcing allow-listing policies that restrict which HID peripherals are permitted to connect to corporate endpoints, organizations can significantly reduce the risk of unauthorized hardware devices being used to inject input or maintain covert remote interaction with a system.

Prevention Measures

Implement device control policies within endpoint protection platforms capable of enforcing USB peripheral restrictions. These controls should block newly connected HID devices unless they match an approved allow-list.
Define allow-list rules based on hardware identifiers, including vendor ID (VID), product ID (PID), device serial numbers, or cryptographic device fingerprints where supported.
Configure endpoint security platforms or operating system controls to deny interaction from unapproved HID devices, preventing unauthorized keyboards or mice from delivering input to the system.
Maintain an inventory of approved keyboard and mouse models used within the organization and map their hardware identifiers into the allow-list policy.
Apply stricter HID allow-listing policies on high-risk systems, including administrative workstations, developer environments, and systems that handle sensitive or regulated data.
Monitor device control logs for blocked peripheral connection attempts, as repeated attempts to attach unauthorized HID devices may indicate attempts to deploy hardware capable of injecting input or maintaining covert remote interaction with an endpoint.

Sections