Search the Community

CANCUN – BadUSB was the hot hack of the summer of 2014. Noted researcher Karsten Nohl delivered a talk at Black Hat during which he explained how USB controller chips in peripheral devices that connect over USB can be reprogrammed. The result is a completely compromised device hosting undetectable code that could be used for a number of malicious purposes, including remote code execution or traffic redirection. While the situation is bad enough for IT systems that would be in line for serious data loss, would the affect be similar on the processes under the watch of industrial control systems? Today at the Kaspersky Lab Security Analyst Summit, Michael Toecker of Context Industrial Security delivered what he termed a public service announcement in which he explained how a riff on BadUSB attacks could indeed be carried out against industrial equipment. While the risks are still admittedly theoretical, Toecker reported that USB-to-serial converters used to connect to critical hardware via old-school nine-pin serial ports can be abused to manipulate ICS gear by installing reprogrammed firmware. “Engineers trust these [serial] connections more than Ethernet in ICS; if they have a choice, they pick serial vs Ethernet, because they trust that,” Toecker said. “What engineers don’t see is that bump in the wire that could be programmed maliciously, Telnet over two wires. That’s what thought of when I heard about BadUSB.” To test his theory, Toecker said he bought 20 different USB-to-serial converters online, ripped them apart and used a number of resources to try to figure out whether the chips inside them could be reprogrammed BadUSB style. Of the 20, he learned that 15 from ATMEGA, FTDI, WCH, Prolific and SiLabs, were essentially not re-programmable. “It wasn’t as bad as I thought,” Toecker said. “I was not able to change the underlying functionality via USB ports.” Of the remaining converters, a processor from Texas Instruments, the TUSB 3410 was reprogrammable, making it a definite risk, Toecker said. An attacker who is able to modify firmware will be able to maintain persistence on a system, run code, or deny attempts to update existing issues on the chip. In the case of the TUSB 3410, the chip has two modes of operation, Toecker said; one is where firmware is pulled from a chip on the board, or another where firmware is pulled from a driver on the host machine. “Drivers installed on the host will provide firmware to the device and then run that firmware and do what it’s supposed to do after that,” Toecker said. “That’s the badness of BadUSB.” BadUSB, for example, continues to propagate because it is persistent on the chip and undetectable. Mitigating the risk with USB-to-serial converters is that an attacker would have to be on an ICS system hosting the drivers. “If you were to plug that USB-to-serial converter into anything else, it would not function because you did not have the correct drivers. But if you did have the correct drivers it would then go through the same process but provide good firmware,” Toecker said. “You have to own the host that’s on it. This is why it’s of a less severity of a normal BadUSB infection.” Source

Un grup de cercetatori de la Caltech au reusit o noua performanta in domeniul microchip-urilor: au realizat un astfel de dispozitiv ce se poate repara singur daca se intampla ceva. Sau, mai corect spus, gaseste o metoda pentru a ramane functional, in ciuda unor defectiuni majore. Performanta a fost posibila prin integrarea unui procesor, cu sarcina de a analiza structura si integritatea chip-ului, si de a gasi o solutie de a indeplini o sarcina cu performanta maxima si consum minim. Astfel, cand chip-ul este intreg, procesorul sau cauta fie varianta in care poate rezolva mai repede o sarcina, fie varianta in care o poate face cu un consum electric cat mai mic. Dar daca, cum s-a intamplat in experimentele lor, ceva strica o parte din chip, procesorul reuseste sa gaseasca noi cai de transmitere a energiei electrice si a informatiei. Sigur, se peride performanta si eficienta, dar macar se pastreaza functia. Cei de la Caltech au distrus cu o raza laser peste jumatate dintre tranzistorii unui astfel de chip, dar in numai cateva milisecunde sarcinile puteau fi in continuare duse la bun sfarsit. Cercetatorii spun ca tehnologia inventata de ei poate fi aplicata oricarui chip din ziua de azi, pentru ca procesorul dedicat nu trebuie integrat direct, ci poate fi si atasat, intr-un plan diferit. Ramane insa de vazut daca marii producatori vor fi interesati de aceasta realizare. Pentru ca, pana la urma, un chip stricat este un potential nou dispozitiv achizitionat, ceea ce le convine de minune. Sursa: Chip-uri care se repara singure | Arena IT