Vulnerabilities / Threats
12/3/2012
11:48 AM
50%
50%

DARPA Looks For Backdoors, Malware In Tech Products

In the wake of concerns about Huawei and ZTE equipment security, defense research agency seeks help identifying backdoors and malicious capabilities in software and firmware.

Does commercial, off-the-shelf software or hardware contain built-in backdoors to give foreign attackers direct access to corporate or government networks, or pose some other type of information security risk? The Department of Defense wants to find out.

The Defense Advanced Research Projects Agency (DARPA) Thursday published details of its new Vetting Commodity IT Software and Firmware (VET) program, which the agency said is designed to find "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices -- those commercial information technology devices bought by DOD -- to ensure they are free of hidden backdoors and malicious functionality."

DARPA's new program seeks to overcome three current, related technical challenges associated with that task: identifying which capabilities in a device could be malicious; using that list as a checklist to assess if any given device actually is malicious; and then using that knowledge to allow a non-technical expert to test every instance of every device before it gets rolled out in a Department of Defense network.

"DOD relies on millions of devices to bring network access and functionality to its users," said DARPA program manager Tim Fraser in a statement. "Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."

[ Are the Iranians out to get us? See Frankenstory: Attack Of The Iranian Cyber Warriors. ]

The launch of DARPA's new program comes after the U.S. House of Representatives Permanent Select Committee on Intelligence in October 2012 issued a scathing report on Chinese telecommunications companies Huawei and ZTE, saying that they "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." The committee "strongly encouraged" businesses in the United States to look elsewhere for their technology.

That recommendation was not made based on an inspection of either vendors' firmware code, but rather by reviewing the companies' business practices. Still, the report raised a larger and much-more-difficult question: Did the devices actually contain built-in backdoors?

Unfortunately, answering that type of question can be quite difficult, as it necessitates both a complete review of the code base, as well as the ability to surmise which built-in capabilities may be put to nefarious use. Notably, one independent security expert who closely studied two different models of Huawei routers noted that existing bugs in the firmware, seemingly present due to sloppy coding, would have allowed a would-be attacker to compromise the devices, irrespective of any purpose-designed backdoor functionality being present.

DARPA will host a "proposer's day" December 12 in Arlington, Va., to brief anyone who's interested in participating in its new VET program.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
John Foley
50%
50%
John Foley,
User Rank: Apprentice
12/3/2012 | 10:36:38 PM
re: DARPA Looks For Backdoors, Malware In Tech Products
The challenge of securing the federal IT supply chain is well known. (See InformationWeek Government's "Securing The Cyber Supply Chain" report from 2009.) Take that and multiple by a million mobile devices and apps, and you get a sense of what DOD is up against. The challenge is one of A) control [DOD has less of it in the mobile world], and B) unprecedented scale. DARPA acknowledges that, the perception at least, is that "this problem is simply unapproachable." It will be interesting, and not just for the Pentagon, to see what ideas are brought forward. Many large businesses face the same challenge.
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 8:18:34 AM
re: DARPA Looks For Backdoors, Malware In Tech Products
If the DOD is they worried about palate backdoor and other malicious item that will allow access to their systems and cause potential damage, the why not create in house software and hardware to know exactly what is and is not present? As far as the sloppy coding on the routers, we all know human error is the biggest reason for many mistakes. So this is an in house test they are performing on their own machines?

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.