Vulnerabilities / Threats
12/3/2012
11:48 AM
50%
50%

DARPA Looks For Backdoors, Malware In Tech Products

In the wake of concerns about Huawei and ZTE equipment security, defense research agency seeks help identifying backdoors and malicious capabilities in software and firmware.

Does commercial, off-the-shelf software or hardware contain built-in backdoors to give foreign attackers direct access to corporate or government networks, or pose some other type of information security risk? The Department of Defense wants to find out.

The Defense Advanced Research Projects Agency (DARPA) Thursday published details of its new Vetting Commodity IT Software and Firmware (VET) program, which the agency said is designed to find "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices -- those commercial information technology devices bought by DOD -- to ensure they are free of hidden backdoors and malicious functionality."

DARPA's new program seeks to overcome three current, related technical challenges associated with that task: identifying which capabilities in a device could be malicious; using that list as a checklist to assess if any given device actually is malicious; and then using that knowledge to allow a non-technical expert to test every instance of every device before it gets rolled out in a Department of Defense network.

"DOD relies on millions of devices to bring network access and functionality to its users," said DARPA program manager Tim Fraser in a statement. "Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."

[ Are the Iranians out to get us? See Frankenstory: Attack Of The Iranian Cyber Warriors. ]

The launch of DARPA's new program comes after the U.S. House of Representatives Permanent Select Committee on Intelligence in October 2012 issued a scathing report on Chinese telecommunications companies Huawei and ZTE, saying that they "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." The committee "strongly encouraged" businesses in the United States to look elsewhere for their technology.

That recommendation was not made based on an inspection of either vendors' firmware code, but rather by reviewing the companies' business practices. Still, the report raised a larger and much-more-difficult question: Did the devices actually contain built-in backdoors?

Unfortunately, answering that type of question can be quite difficult, as it necessitates both a complete review of the code base, as well as the ability to surmise which built-in capabilities may be put to nefarious use. Notably, one independent security expert who closely studied two different models of Huawei routers noted that existing bugs in the firmware, seemingly present due to sloppy coding, would have allowed a would-be attacker to compromise the devices, irrespective of any purpose-designed backdoor functionality being present.

DARPA will host a "proposer's day" December 12 in Arlington, Va., to brief anyone who's interested in participating in its new VET program.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 8:18:34 AM
re: DARPA Looks For Backdoors, Malware In Tech Products
If the DOD is they worried about palate backdoor and other malicious item that will allow access to their systems and cause potential damage, the why not create in house software and hardware to know exactly what is and is not present? As far as the sloppy coding on the routers, we all know human error is the biggest reason for many mistakes. So this is an in house test they are performing on their own machines?

Paul Sprague
InformationWeek Contributor
John Foley
50%
50%
John Foley,
User Rank: Apprentice
12/3/2012 | 10:36:38 PM
re: DARPA Looks For Backdoors, Malware In Tech Products
The challenge of securing the federal IT supply chain is well known. (See InformationWeek Government's "Securing The Cyber Supply Chain" report from 2009.) Take that and multiple by a million mobile devices and apps, and you get a sense of what DOD is up against. The challenge is one of A) control [DOD has less of it in the mobile world], and B) unprecedented scale. DARPA acknowledges that, the perception at least, is that "this problem is simply unapproachable." It will be interesting, and not just for the Pentagon, to see what ideas are brought forward. Many large businesses face the same challenge.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2086
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in the live preview in the Panopoly Magic module before 7.x-1.17 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a pane title.

CVE-2015-2087
Published: 2015-02-26
Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors.

CVE-2015-2088
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Term Queue module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

CVE-2015-2089
Published: 2015-02-26
Multiple cross-site request forgery (CSRF) vulnerabilities in the CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin 2.0.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (...

CVE-2015-2090
Published: 2015-02-26
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-admin/admin-ajax.php.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.