I have written firmware for USB devices. These attacks are a genuine threat, because a USB device can pretend to be whatever it has to be to get the OS to load an exploitable driver, and then the exploited system can infect other USB devices by rewriting their firmware.