MacOS has a pop up that tries to identify the keyboard layout. If this screen came up when I plugged something in that wasn’t a keyboard, I would assume the device was malicious.
It is probably possible to automate the keystrokes to quickly kill this screen though.
If I were a bad actor with the resources, I would dedicate more engineering effort to making the device subtle. It would try to remain invisible until a mouse/keyboard was plugged into the dock. The interceptor would then read that fingerprint and present that to the host OS, keeping the user unaware of the middleman.
My point is that no matter what you tell the OS, there will still be one more device connected than expected. If you plug in a keyboard and two are suddenly connected, it’s still very noticeable. This counting problem is occurring at the hardware level in the USB hubs and host. The attacker needs to compromise an external hub to behave like a USB protocol analyzer capable of intercepting and modifying data seamlessly in order for an attack like this to be anything other than trivially detectable. Fitting something like that into an existing enclosure means writing lots of low level code and embedded hardware design which is a different level of difficulty.
Sorry, I think I misunderstood your original comment - we’re having the same thought with MITM. Definitely more technically challenging but much harder to detect.
It is probably possible to automate the keystrokes to quickly kill this screen though.