Vulnerabilities / Threats
12/3/2012
11:48 AM
50%
50%

DARPA Looks For Backdoors, Malware In Tech Products

In the wake of concerns about Huawei and ZTE equipment security, defense research agency seeks help identifying backdoors and malicious capabilities in software and firmware.

Does commercial, off-the-shelf software or hardware contain built-in backdoors to give foreign attackers direct access to corporate or government networks, or pose some other type of information security risk? The Department of Defense wants to find out.

The Defense Advanced Research Projects Agency (DARPA) Thursday published details of its new Vetting Commodity IT Software and Firmware (VET) program, which the agency said is designed to find "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices -- those commercial information technology devices bought by DOD -- to ensure they are free of hidden backdoors and malicious functionality."

DARPA's new program seeks to overcome three current, related technical challenges associated with that task: identifying which capabilities in a device could be malicious; using that list as a checklist to assess if any given device actually is malicious; and then using that knowledge to allow a non-technical expert to test every instance of every device before it gets rolled out in a Department of Defense network.

"DOD relies on millions of devices to bring network access and functionality to its users," said DARPA program manager Tim Fraser in a statement. "Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."

[ Are the Iranians out to get us? See Frankenstory: Attack Of The Iranian Cyber Warriors. ]

The launch of DARPA's new program comes after the U.S. House of Representatives Permanent Select Committee on Intelligence in October 2012 issued a scathing report on Chinese telecommunications companies Huawei and ZTE, saying that they "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." The committee "strongly encouraged" businesses in the United States to look elsewhere for their technology.

That recommendation was not made based on an inspection of either vendors' firmware code, but rather by reviewing the companies' business practices. Still, the report raised a larger and much-more-difficult question: Did the devices actually contain built-in backdoors?

Unfortunately, answering that type of question can be quite difficult, as it necessitates both a complete review of the code base, as well as the ability to surmise which built-in capabilities may be put to nefarious use. Notably, one independent security expert who closely studied two different models of Huawei routers noted that existing bugs in the firmware, seemingly present due to sloppy coding, would have allowed a would-be attacker to compromise the devices, irrespective of any purpose-designed backdoor functionality being present.

DARPA will host a "proposer's day" December 12 in Arlington, Va., to brief anyone who's interested in participating in its new VET program.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 8:18:34 AM
re: DARPA Looks For Backdoors, Malware In Tech Products
If the DOD is they worried about palate backdoor and other malicious item that will allow access to their systems and cause potential damage, the why not create in house software and hardware to know exactly what is and is not present? As far as the sloppy coding on the routers, we all know human error is the biggest reason for many mistakes. So this is an in house test they are performing on their own machines?

Paul Sprague
InformationWeek Contributor
John Foley
50%
50%
John Foley,
User Rank: Apprentice
12/3/2012 | 10:36:38 PM
re: DARPA Looks For Backdoors, Malware In Tech Products
The challenge of securing the federal IT supply chain is well known. (See InformationWeek Government's "Securing The Cyber Supply Chain" report from 2009.) Take that and multiple by a million mobile devices and apps, and you get a sense of what DOD is up against. The challenge is one of A) control [DOD has less of it in the mobile world], and B) unprecedented scale. DARPA acknowledges that, the perception at least, is that "this problem is simply unapproachable." It will be interesting, and not just for the Pentagon, to see what ideas are brought forward. Many large businesses face the same challenge.
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.