[sharth]

One of the suggested alternate modes in the specification is a PCIe bus. This would most likely support bus mastering, and thus a full DMA engine.

This certainly requires some host cooperation, but I imagine that the fear is that these drivers start to be distributed in the OS by default.

One of the BadUSB vectors is a USB keyboard, which is a fairly well expected driver to be included with the OS.

[drakenot]

Is it possible to whitelist USB (or Thunderbolt for that matter) devices and prevent all others from connecting?

It is fairly common for me to connect a USB keyboard, but it is pretty rare for me to connect an unknown keyboard.

[masklinn]

It's possible to filter based on vendor ID and device ID, but deviceid is shared (it's more of a product id), and both can be faked of course. On Linux it's handled via udev, on Windows via group policies (since Server 2008/Vista), on OSX it might be possible via MDM, in the Server application (I'm not sure)