IoT
10/24/2018
02:30 PM
Ang Cui
Ang Cui
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Tackling Supply Chain Threats

Vendor-supplied malware is a threat that has been largely overlooked. That has to change.

The technology products that drive today's businesses are increasingly produced through a highly diversified and complex international supply chain. Whether it is standard networking gear or a more specialized device like a human-machine interface or remote terminal unit, equipment is often developed through an elaborate web of OEMs, chip makers, parts suppliers, software/hardware designers, and outsourced production facilities. This makes it difficult to audit device security and introduces many opportunities for bad actors to make malicious changes to the hardware or software of the equipment.

Supply chain risks have come into greater focus recently, particularly after the Defense Authorization Act included a ban on the use of certain foreign-made telecommunications equipment by US government agencies and contractors. Other recent incidents, like the discovery of the Spectre and Meltdown computer chip flaws and a hidden Management Engine in Intel chipset platforms, continue to highlight the risks companies may face from vulnerabilities in key technology products.

Firmware Threats
The most significant of these supply chain threats is found in firmware-based malware. Firmware-level threats are exceptionally difficult to combat because security firms and corporate end users often lack visibility into this code and therefore do not know exactly what is running on these devices.

Almost all embedded devices use a proprietary operating system that excludes user access and input. Unlike Windows and macOS, in which the user is able to directly manage and see all of the running processes, the manufacturers of embedded devices retain total control over those devices and systems. In most cases, end users are not able to manage and/or repair those devices themselves. Even security patches often cannot be installed without calling the manufacturer for service.

To further complicate matters, the OS/firmware of each embedded device is often unique. These devices lack the uniformity and standardization that is found in other types of products, such as desktops, servers, and other networking gear.

These threats are most likely to be contained within signed code inside the firmware as they originate from the seemingly legitimate supply chain. Implants, backdoors, remote networking channels, hard-coded passwords, debug mode, etc., could be lurking in what appears to be legitimate code. Firmware over-the-air updates are another risk, as they could be used maliciously by the vendor or simply be poorly implemented and thus vulnerable to compromise.

Persistent Implant Finder
The US Department of Homeland Security's Science & Technology Directorate (DHS S&T) is working with private industry on new efforts to analyze devices at the firmware level and detect hidden threats which could be exploited by a malicious actor.

One of the DHS S&T-funded technologies is a privately developed tool called Persistent Implant Finder (PIF). PIF automatically unpacks and analyzes device firmware to discover malicious implants and vulnerabilities. PIF has a modular design integrated for use with multiple firmware analyzers, including both device family-specific analyzers and generic analyzers. These firmware analyzers search for a variety of hidden implants, including password backdoors, active malware rootkits, and network service backdoors. PIF was developed for compatibility with the industry's network vulnerability-scanning products and services.

Using the PIF malware test bed, we have already uncovered multiple suspect devices, including a point-of-sale (PoS) system and a smart watch in which suspicious software was pre-installed at the vendor level and is capable of installing firmware updates and communicating user data to unknown parties.

In the case of the PoS device, its pre-installed app actively reaches out to the Adups.com domain, which previously has been caught exfiltrating sensitive data, including text messages from Android phones. PIF detected capabilities in this PoS device that are similar to what was cited by Kryptowire in a 2016 report, when analyzing Shanghai Adups Technology Co. Ltd.'s firmware on low-cost Android phones. The pre-installed PoS app that PIF analyzed has full root privilege and is capable of gathering extensive user data from this device, and it is actively communicating back to a foreign-based server through an encrypted channel.

Mitigating Supply Chain Threats
The threat of vendor-supplied malware is difficult for organizations to confront unless they are able to unpack and analyze the device's firmware, either with an automated tool like PIF or penetration testing. Companies should strongly consider conducting this type of in-depth security analysis of the technologies they rely upon.

Most importantly, companies should limit their technology purchases to reputable manufacturers only. That means avoiding acquisitions through resellers and other third-party agencies or websites, where it is more difficult to tell the true origin, authenticity, and security of a device. Companies that require a higher level of security may want to consider going one step further by limiting their purchases to General Services Administration–approved vendors.

Additionally, it is always important to implement a defense-in-depth approach. This includes network segmentation, employee access control, strong password policies, reducing or eliminating remote access, utilizing strong encryption, and separating sensitive networks with proper air-gapping. Auditing third-party contractors is also critical.

Conclusion
Vendor-supplied malware is a threat that has been largely overlooked. Between the increase in supply chain diversification and state-sponsored cyber espionage, it is critical for companies to understand how they might be exposed to this risk.

Defending against firmware-level threats isn't easy unless the company is able to analyze the firmware itself. However, companies should also use a layered security program to reduce their overall risk.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dr. Ang Cui is the founder and CEO of Red Balloon Security in New York City, and a PI on DARPA LADS, as well as various other government agency funded research efforts. Dr. Cui is the inventor of Symbiote, a firmware defense technology for embedded devices, and FRAK, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-1695
PUBLISHED: 2019-02-15
IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177.
CVE-2018-1701
PUBLISHED: 2019-02-15
IBM InfoSphere Information Server 11.7 could allow an authenciated user under specialized conditions to inject commands into the installation process that would execute on the WebSphere Application Server. IBM X-Force ID: 145970.
CVE-2018-1727
PUBLISHED: 2019-02-15
IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147630.
CVE-2018-1895
PUBLISHED: 2019-02-15
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ...
CVE-2019-4059
PUBLISHED: 2019-02-15
IBM Rational ClearCase 1.0.0.0 GIT connector does not sufficiently protect the document database password. An attacker could obtain the password and gain unauthorized access to the document database. IBM X-Force ID: 156583.