BadUSB attack and the Industrial control systems

Industrial control systems are in danger of being hacked by using a modified version of the BadUSB attack says Michael Toecker in his presentation at the Security Analyst Summit 2015 in Cancun.

Not that long ago, BadUSB swept across the cybersecurity community as one of the hottest hacks of the year. BadUSB featured the ability to modify the firmware of USB controller chips of many USB devices, with focus mainly on USB flash drives. Of course, a plethora of other devices, including webcams, USB keyboards, touchpads, etc., can potentially be compromised in much the same way. Once the device is infected with the malicious code, there is practically no way to find out or to remove it – making it a perfect tool for APT groups.

Now, a new threat has emerged – consider it to be a BadUSB attack for industrial control systems (ICS). Michael Toecker of Context Industrial Security proposed just that at the Security Analyst Summit 2015. In his talk, Toecker proposed how such an attack might be carried out.

At this point, the attack is only theoretical, but there is no valid reason to believe it cannot be executed. He proposed that the USB-to-serial converters that are being used to connect to the older critical hardware can have their firmware reprogrammed and can be abused to manipulate the ICS gear.

“Engineers trust these [serial] connections more than Ethernet in ICS; if they have a choice, they pick serial vs Ethernet, because they trust that,” says Toecker. “What engineers don’t see is that bump in the wire that could be programmed maliciously, Telnet over two wires. That’s what I thought of when I heard about BadUSB.”

Toecker tested his theory on 20 different USB-to-serial converters that he purchased online. He disassembled each one to examine what chips they use and whether these are reprogrammable. To his surprise, 15 of the 20 chips were not reprogrammable. These include chips from ATMEGA, FTDI, WCH, Prolific, and SiLabs.

The remaining chips carried the risk of being reprogrammed, including a chip TUSB 3410 from Texas Instruments. This particular chip has two modes of operation, one where the firmware from a chip on the board is used and the other where the firmware is downloaded from the host machine.

“Drivers installed on the host will provide firmware to the device and then run that firmware and do what it’s supposed to do after that. That’s the badness of BadUSB,” informs Toecker. “If you were to plug that USB-to-serial converter into anything else, it would not function because you did not have the correct drivers. But if you did have the correct drivers it would then go through the same process but provide good firmware,” Toecker said. “You have to own the host that’s on it. This is why it’s of a less severity of a normal BadUSB infection.”

About the Author Michal Nemcok is a Content Editor and a Public and Media Relations person at LIFARS LLC, an international cybersecurity and digital forensics firm. He is an avid technology enthusiast with focus on cybersecurity. He writes periodically for LIFARS. His writing covers a variety of topics, including offensive/defensive cybersecurity, data breaches, trending news, how-to’s, analyses, hacking, and more. Connect with him on LinkedIn and follow him on twitter. Click here for more of his writing.

Edited by Pierluigi Paganini

(Security Affairs –  BadUSB , ICS)