“What engineers don’t see is that bump in the wire that could be programmed maliciously, Telnet over two wires. That’s what I thought of when I heard about BadUSB.”Using 20 different USB-to-serial converters purchased online, Toecker tested his theory by disassembling each device and attempting to reprogram the internal chips. Ultimately, he found that he could not change the underlying functionality of the USB ports of 15 of the 20, including devices from ATMEGA, FTDI, WCH, Prolific and SiLabs. Nonetheless, Toecker points out that the remaining converters capable of being reprogrammed carry a significant risk. One chip in particular, TUSB 3410 from Texas Instruments, could allow an attacker to modify firmware, maintain persistence on a system, run code, as well as decline attempts to update the chip, Toecker said.
“Drivers installed on the host will provide firmware to the device and then run that firmware and do what it’s supposed to do after that,” said Toecker. “That’s the badness of BadUSB.”"USB has always been a common and effective attack vector," said Tripwire Senior Security Analyst Ken Westin. "The BadUSB vulnerabilities that have been discovered further illustrates this utilizing a more sophisticated approach to compromising systems in comparison to other attacks, which also makes mitigation much more of a challenge." Westin adds its not surprising these vulnerabilities could also be exploited to target existing ICS. In fact, many of these types of systems are much more vulnerable due to the challenge of patching these systems and inherent vulnerabilities from systems not being designed with security in mind. "Combine BadUSB-style intrusions with Stuxnet and things just got a whole lot worse for securing these systems," said Westin.