Last summer, security researchers Karsten Nohl and Jakob Lell developed the BadUSB malware program to show how insecure USB devices are. They later demonstrated at the Black Hat conference in Las Vegas how they were able to reprogramme the firmware on the removable USB devices to include malicious code, a tactic which could potentially be used by attackers to take over PCs and also direct internet traffic.
Now, another security researcher has claimed that a similar attack could theoretically work against older industrial control systems (ICS).
Michael Toecker, of Context Industrial Security, was presenting at Kaspersky's Security Analyst Conference in Cancun earlier this week where he revealed how USB-to-serial connections could be used to manipulate such systems by installing re-programmed firmware.
“Engineers trust these [serial] connections more than Ethernet in ICS,” said Toecker. “If they have a choice, they pick serial vs Ethernet, because they trust that.
Toecker purchased 20 different converters online and tested out his theory by taking apart each device, before attempting to reprogramme the internal chips. However, he was unable to change the underlying functionality of 15 of the USB ports, including devices from ATMEGA, FTDI, WCH, Prolific and SiLabs.
However, Toecker pointed out that the remaining converters capable of being reprogrammed carry a significant risk. One chip in particular, the TUSB 3410 from Texas Instruments (TI), could allow an attacker to modify firmware, maintain persistence on a system, run code, and decline attempts to update the chip.
Roger Jefferiss, SCADA expert and tester at Pen Test Partners, told SCMagazineUK.com that BadUSB could be used for an assortment of attacks, although both he – and the firm's managing director, Ken Munro – said that a malware-infected laptop would be an easier way to infect such systems.
“While some ICS/SCADA devices use the USB port to update firmware and/or configuration others are still without USB connectivity, limiting the possible impact of this type of attack, or so you would think.
“The seeming flexibility of BadUSB means that it could be delivered via an SD card. In fact more and more, vendors are sending out updates on USB sticks AND SD cards, or instructing engineers to download updates onto them.
“A possible attack could be to infect a HMI screen via an SD card, to create a backdoor or change the behaviour of the screen, eg to show incorrect values - such as an empty tank when it is full.
“Another angle is that sometimes the configuration for SCADA devices is shared between one engineer and another via USB devices; this would be the vector to get a back door onto the ICS/SCADA engineer's laptop.
Munro added in an email exchange: “My first thought was ‘why bother with BadUSB'? In many cases, the infection vector for an ICS is going to be an engineer updating a PLC using a laptop. The laptop is infected, unknown to the engineer. In that case, they will have sufficient privilege for an attack along the lines of Stuxnet, modifying PLC ladder logic.
“The BadUSB attack is likely to be more stealthy; I accept that. The state of security of serial-IP interfaces is not great generally; this attack is just one of many that would work. Sometimes they're so much simpler than this – such as GSM serial-IP convertors, on the public mobile network with default passwords.”
However, security researcher Joel Langhill, who has worked on implementing large DCS and SCADA systems for over 30 years, cautioned in an email to SC: "The USB vector has always been one of concern, and also one to consider when addressing the overall unmitigated risk of an industrial control system.”
“BadUSB is no different. There are other USB vectors that should also be considered, including the impact of a rogue human-interface device (HID) that can also be inserted into a USB and inject keyboard commands that could lead to a system compromise. The one aspect that many overlook is that more robust ICS like distributed control systems (DCS) do not typically use many USB devices for continuous, on-line functionality.
"These DCS systems tend to be much closer to the actual "critical infrastructure" and have numerous features that address not only security, but system robustness, fault-tolerance, and authenticity of commands. What those that work with ICS within CI and CNI should consider is that, in addition to vetting suppliers of critical system components, appropriate defence-in-depth techniques should be implemented to mitigate the risk introduced from the compromise of any single component."
"In Michael's case, USB-to-serial converters are not typical in critical control applications. They may be used for engineering functions, but are then removed from the system. I do not see any measurable risk that such a compromised USB device could translate into the compromise of a level 1 ICS component like a BPCS, SIS or PLC."