Last summer, security researchers Karsten Nohl and Jakob Lell developed a malware program, dubbed ‘BadUSB,’ to prove the insecure development of USB devices. The pair of security researchers revealed how they managed to reprogram the firmware on removable USB drives to include malicious code, giving potential attackers the ability to take over PCs, redirect Internet traffic and more. Recently, however, additional findings showed these attack vectors could also bring danger to industrial control systems (ICS). According to Security Engineer Michael Toecker of Context Industrial Security, USB-to-serial converters used to connect to older critical hardware could manipulate industrial systems by installing reprogrammed firmware. Although Toecker notes this type of attack is only theoretical, the potential risks associated could bring devastating consequences. “Engineers trust these [serial] connections more than Ethernet in ICS,” said Toecker. “If they have a choice, they pick serial vs Ethernet, because they trust that.
“What engineers don’t see is that bump in the wire that could be programmed maliciously, Telnet over two wires. That’s what I thought of when I heard about BadUSB.”
Using 20 different USB-to-serial converters purchased online, Toecker tested his theory by disassembling each device and attempting to reprogram the internal chips. Ultimately, he found that he could not change the underlying functionality of the USB ports of 15 of the 20, including devices from ATMEGA, FTDI, WCH, Prolific and SiLabs. Nonetheless, Toecker points out that the remaining converters capable of being reprogrammed carry a significant risk. One chip in particular, TUSB 3410 from Texas Instruments, could allow an attacker to modify firmware, maintain persistence on a system, run code, as well as decline attempts to update the chip, Toecker said.
“Drivers installed on the host will provide firmware to the device and then run that firmware and do what it’s supposed to do after that,” said Toecker. “That’s the badness of BadUSB.”
"USB has always been a common and effective attack vector," said Tripwire Senior Security Analyst Ken Westin. "The BadUSB vulnerabilities that have been discovered further illustrates this utilizing a more sophisticated approach to compromising systems in comparison to other attacks, which also makes mitigation much more of a challenge." Westin adds its not surprising these vulnerabilities could also be exploited to target existing ICS. In fact, many of these types of systems are much more vulnerable due to the challenge of patching these systems and inherent vulnerabilities from systems not being designed with security in mind. "Combine BadUSB-style intrusions with Stuxnet and things just got a whole lot worse for securing these systems," said Westin.
