Categories: HackingSecurity

BadUSB attack and the Industrial control systems

Industrial control systems are in danger of being hacked by using a modified version of the BadUSB attack says Michael Toecker in his presentation at the Security Analyst Summit 2015 in Cancun.

Not that long ago, BadUSB swept across the cybersecurity community as one of the hottest hacks of the year. BadUSB featured the ability to modify the firmware of USB controller chips of many USB devices, with focus mainly on USB flash drives. Of course, a plethora of other devices, including webcams, USB keyboards, touchpads, etc., can potentially be compromised in much the same way. Once the device is infected with the malicious code, there is practically no way to find out or to remove it – making it a perfect tool for APT groups.

Now, a new threat has emerged – consider it to be a BadUSB attack for industrial control systems (ICS). Michael Toecker of Context Industrial Security proposed just that at the Security Analyst Summit 2015. In his talk, Toecker proposed how such an attack might be carried out.

At this point, the attack is only theoretical, but there is no valid reason to believe it cannot be executed. He proposed that the USB-to-serial converters that are being used to connect to the older critical hardware can have their firmware reprogrammed and can be abused to manipulate the ICS gear.

“Engineers trust these [serial] connections more than Ethernet in ICS; if they have a choice, they pick serial vs Ethernet, because they trust that,” says Toecker. “What engineers don’t see is that bump in the wire that could be programmed maliciously, Telnet over two wires. That’s what I thought of when I heard about BadUSB.”

Toecker tested his theory on 20 different USB-to-serial converters that he purchased online. He disassembled each one to examine what chips they use and whether these are reprogrammable. To his surprise, 15 of the 20 chips were not reprogrammable. These include chips from ATMEGA, FTDI, WCH, Prolific, and SiLabs.

The remaining chips carried the risk of being reprogrammed, including a chip TUSB 3410 from Texas Instruments. This particular chip has two modes of operation, one where the firmware from a chip on the board is used and the other where the firmware is downloaded from the host machine.

“Drivers installed on the host will provide firmware to the device and then run that firmware and do what it’s supposed to do after that. That’s the badness of BadUSB,” informs Toecker. “If you were to plug that USB-to-serial converter into anything else, it would not function because you did not have the correct drivers. But if you did have the correct drivers it would then go through the same process but provide good firmware,” Toecker said. “You have to own the host that’s on it. This is why it’s of a less severity of a normal BadUSB infection.”

About the Author Michal Nemcok is a Content Editor and a Public and Media Relations person at LIFARS LLC, an international cybersecurity and digital forensics firm. He is an avid technology enthusiast with focus on cybersecurity. He writes periodically for LIFARS. His writing covers a variety of topics, including offensive/defensive cybersecurity, data breaches, trending news, how-to’s, analyses, hacking, and more. Connect with him on LinkedIn and follow him on twitter. Click here for more of his writing.

Edited by Pierluigi Paganini

(Security Affairs –  BadUSB , ICS)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

5 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

11 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

23 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.