I think people need to keep in mind, that "disconnect it from the Internet, it shouldn't have been on the internet" doesn't fix this. If the injection works from USB devices, then the typical field engineer is not going to scrub their USB before downloading the field upgrade. Almost everything worldwide now uses USB as a field-upgrade path. Maybe as a cost cutting and simplification method this was ok, but the risk side? way way above the benefit (in my opinion)<p>What mitigates this (if anything does) is signed code on media you have to work harder to program. Rather than a USB device, this should be some form of media which doesn't present as a bootable device to a BIOS/UEFI. The field unit should have signature checks over images based on PKI. This is what a lot of things do, but somehow it seems not the ones which matter here?<p>Field upgrade by kermit or xymodem would be better than this, in that narrow regard. -The risk of an unexpected packet hitting the code path is lower if the code upgrade is reading a byte stream for a hash/sig check, compared to mounting a USB device, loading drivers, enabling HID mode ...<p>I deliberately avoided working in engineering contexts where the risk was above my comfort factor. It ruled out industrial process control, health, civil engineering and a host of fascinating fields, but I was just too worried about the liability side and my own competency to work in these areas.<p>I did not foresee (inter)net technology becoming so critical it exposed all of these risks, in my core competency. I still feel inadequate to these risks, 37 years later.