The key to this problem is the design goal that USB devices could do many different things. For example, a USB flash drive with malicious firmware could function as a USB keyboard. When you connect it to your computer, it could send keyboard-press actions to the computer as if someone sitting at the computer were typing the keys.