BadUSB Vulnerabilities Live in ICS Gear Too

BadUSB-style attacks against industrial control systems are theoretically possible, but bear watching according to Michael Toecker today at the Security Analyst Summit.

CANCUN – BadUSB was the hot hack of the summer of 2014. Noted researcher Karsten Nohl delivered a talk at Black Hat during which he explained how USB controller chips in peripheral devices that connect over USB can be reprogrammed. The result is a completely compromised device hosting undetectable code that could be used for a number of malicious purposes, including remote code execution or traffic redirection.

While the situation is bad enough for IT systems that would be in line for serious data loss, would the affect be similar on the processes under the watch of industrial control systems?

Today at the Kaspersky Lab Security Analyst Summit, Michael Toecker of Context Industrial Security delivered what he termed a public service announcement in which he explained how a riff on BadUSB attacks could indeed be carried out against industrial equipment.

While the risks are still admittedly theoretical, Toecker reported that USB-to-serial converters used to connect to critical hardware via old-school nine-pin serial ports can be abused to manipulate ICS gear by installing reprogrammed firmware.

“Engineers trust these [serial] connections more than Ethernet in ICS; if they have a choice, they pick serial vs Ethernet, because they trust that,” Toecker said. “What engineers don’t see is that bump in the wire that could be programmed maliciously, Telnet over two wires. That’s what thought of when I heard about BadUSB.”

To test his theory, Toecker said he bought 20 different USB-to-serial converters online, ripped them apart and used a number of resources to try to figure out whether the chips inside them could be reprogrammed BadUSB style.

Of the 20, he learned that 15 from ATMEGA, FTDI, WCH, Prolific and SiLabs, were essentially not re-programmable.

“It wasn’t as bad as I thought,” Toecker said. “I was not able to change the underlying functionality via USB ports.”

Of the remaining converters, a processor from Texas Instruments, the TUSB 3410 was reprogrammable, making it a definite risk, Toecker said. An attacker who is able to modify firmware will be able to maintain persistence on a system, run code, or deny attempts to update existing issues on the chip. In the case of the TUSB 3410, the chip has two modes of operation, Toecker said; one is where firmware is pulled from a chip on the board, or another where firmware is pulled from a driver on the host machine.

“Drivers installed on the host will provide firmware to the device and then run that firmware and do what it’s supposed to do after that,” Toecker said. “That’s the badness of BadUSB.”

BadUSB, for example, continues to propagate because it is persistent on the chip and undetectable. Mitigating the risk with USB-to-serial converters is that an attacker would have to be on an ICS system hosting the drivers.

“If you were to plug that USB-to-serial converter into anything else, it would not function because you did not have the correct drivers. But if you did have the correct drivers it would then go through the same process but provide good firmware,” Toecker said. “You have to own the host that’s on it. This is why it’s of a less severity of a normal BadUSB infection.”

Suggested articles