Bad USB was the hot hack of the summer of 2014. Noted researcher Karsten Nohl just delivered a talk at Black Hat during which he explained how USB controller chips in peripheral devices that connect over USB can be reprogrammed. The result is a completely compromised device hosting undetectable code that could be used for a number of malicious purposes, including remote code execution or traffic redirection for nefarious purposes.
While the situation is bad enough for IT systems that would experience serious data loss, the prospects for breaches of industrial control systems would be far worse.
The way that BadUSB attacks could be carried out against industrial equipment are that USB-to-serial converters that are generally used to connect to critical hardware via old-school nine-pin serial ports can be abused to manipulate ICS gear by installing reprogrammed firmware.
Engineers trust these connections more than Ethernet in ICS; if they have a choice, they pick serial vs Ethernet, because they trust that. What engineers don’t see is that bump in the wire that could be programmed maliciously.
A researcher recently bought 20 different USB-to-serial converters online, ripped them apart and used a number of resources to try to figure out whether the chips inside them could be reprogrammed BadUSB style.
Of the 20, he learned that 15 from ATMEGA, FTDI, WCH, Prolific and SiLabs, were essentially not re-programmable. Of the remaining converters however, a processor from Texas Instruments, (the TUSB 3410) was indeed reprogrammable, which made it a definite risk. An attacker could modify firmware that will be able to maintain persistence on a system, run specialized code, and/or deny attempts to update existing issues on the chip. In the case of the TUSB 3410, the chip has two modes of operation,; one is where firmware is pulled from a chip on the board, and the other where firmware is pulled from a driver on the host machine. Drivers installed on the host will provide firmware to the device and then run that firmware and do what it’s supposed to do after that. That’s the potential impact of BadUSB on ICS firmware.
Either way, it represents a paved road into ICS operations for any reasonably skilled hacker and an example of the serious dangers to any and all industrial control systems that rely on PLCs and reprogrammable processors created before we all even thought about espionage in this context.