Vulnerabilities / Threats
11:48 AM

DARPA Looks For Backdoors, Malware In Tech Products

In the wake of concerns about Huawei and ZTE equipment security, defense research agency seeks help identifying backdoors and malicious capabilities in software and firmware.

Does commercial, off-the-shelf software or hardware contain built-in backdoors to give foreign attackers direct access to corporate or government networks, or pose some other type of information security risk? The Department of Defense wants to find out.

The Defense Advanced Research Projects Agency (DARPA) Thursday published details of its new Vetting Commodity IT Software and Firmware (VET) program, which the agency said is designed to find "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices -- those commercial information technology devices bought by DOD -- to ensure they are free of hidden backdoors and malicious functionality."

DARPA's new program seeks to overcome three current, related technical challenges associated with that task: identifying which capabilities in a device could be malicious; using that list as a checklist to assess if any given device actually is malicious; and then using that knowledge to allow a non-technical expert to test every instance of every device before it gets rolled out in a Department of Defense network.

"DOD relies on millions of devices to bring network access and functionality to its users," said DARPA program manager Tim Fraser in a statement. "Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."

[ Are the Iranians out to get us? See Frankenstory: Attack Of The Iranian Cyber Warriors. ]

The launch of DARPA's new program comes after the U.S. House of Representatives Permanent Select Committee on Intelligence in October 2012 issued a scathing report on Chinese telecommunications companies Huawei and ZTE, saying that they "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." The committee "strongly encouraged" businesses in the United States to look elsewhere for their technology.

That recommendation was not made based on an inspection of either vendors' firmware code, but rather by reviewing the companies' business practices. Still, the report raised a larger and much-more-difficult question: Did the devices actually contain built-in backdoors?

Unfortunately, answering that type of question can be quite difficult, as it necessitates both a complete review of the code base, as well as the ability to surmise which built-in capabilities may be put to nefarious use. Notably, one independent security expert who closely studied two different models of Huawei routers noted that existing bugs in the firmware, seemingly present due to sloppy coding, would have allowed a would-be attacker to compromise the devices, irrespective of any purpose-designed backdoor functionality being present.

DARPA will host a "proposer's day" December 12 in Arlington, Va., to brief anyone who's interested in participating in its new VET program.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
John Foley
John Foley,
User Rank: Apprentice
12/3/2012 | 10:36:38 PM
re: DARPA Looks For Backdoors, Malware In Tech Products
The challenge of securing the federal IT supply chain is well known. (See InformationWeek Government's "Securing The Cyber Supply Chain" report from 2009.) Take that and multiple by a million mobile devices and apps, and you get a sense of what DOD is up against. The challenge is one of A) control [DOD has less of it in the mobile world], and B) unprecedented scale. DARPA acknowledges that, the perception at least, is that "this problem is simply unapproachable." It will be interesting, and not just for the Pentagon, to see what ideas are brought forward. Many large businesses face the same challenge.
User Rank: Ninja
12/17/2012 | 8:18:34 AM
re: DARPA Looks For Backdoors, Malware In Tech Products
If the DOD is they worried about palate backdoor and other malicious item that will allow access to their systems and cause potential damage, the why not create in house software and hardware to know exactly what is and is not present? As far as the sloppy coding on the routers, we all know human error is the biggest reason for many mistakes. So this is an in house test they are performing on their own machines?

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Published: 2015-10-09
The API in the WebKit Plug-ins component in Apple Safari before 9 does not provide notification of an HTTP Redirection (aka 3xx) status code to a plugin, which allows remote attackers to bypass intended request restrictions via a crafted web site.

Published: 2015-10-09
The Intel Graphics Driver component in Apple OS X before 10.11 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5877.

Published: 2015-10-09
The Login Window component in Apple OS X before 10.11 does not ensure that the screen is locked at the intended time, which allows physically proximate attackers to obtain access by visiting an unattended workstation.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.