Hm, this sounds like a software-based solution right? But if you have software only letting certain data pass, couldn't the same software just be run by the main device instead of an intermediate one?
Two reasons speak for a separate hardware for that purpose:
1: conventional computers have no mechanism to indicate what you expect from a USB device, and you can't ask for confirmation that the user wanted to plug in a keyboard, because the user might need that keyboard to confirm hits intention
2: the USB software stack can be attacked at many layers, including firmware, generic OS code and the OS-chosen driver. That software stack varies depending on OS, motherboard, BIOS version, installed drivers etc. A hardware device can provide protection invariant from those factors
I don't know from the top of my head about USB, but for FireWire there was a hack that allowed a malicious device to access all memory (read-write). Basically, a new device is placed on the DMA bus (for speed reasons) with no authentication and can do whatever it wants. There is a proof of concept that unlocks OS X, Windows, and a popular Linux desktop.
There was a USB bug where you could infect some USB controllers with mal-firmware that would spread like a worm! I believe the NSA was actively using this, but I might be mixing things up.
With a condom, a malicious device would have to take over two pieces of hardware, not just one. This is one advantage of a hardware solution.
The other advantage is, if there is an exploit in the USB filter software, the malware lands in my condom (hihi). It would likely have to be adapted to work on it and to move to my PC (the condom is ARM, has no network besides USB, can have a read-only file system, ...).
