Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/24/2018
02:30 PM
Ang Cui
Ang Cui
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Tackling Supply Chain Threats

Vendor-supplied malware is a threat that has been largely overlooked. That has to change.

The technology products that drive today's businesses are increasingly produced through a highly diversified and complex international supply chain. Whether it is standard networking gear or a more specialized device like a human-machine interface or remote terminal unit, equipment is often developed through an elaborate web of OEMs, chip makers, parts suppliers, software/hardware designers, and outsourced production facilities. This makes it difficult to audit device security and introduces many opportunities for bad actors to make malicious changes to the hardware or software of the equipment.

Supply chain risks have come into greater focus recently, particularly after the Defense Authorization Act included a ban on the use of certain foreign-made telecommunications equipment by US government agencies and contractors. Other recent incidents, like the discovery of the Spectre and Meltdown computer chip flaws and a hidden Management Engine in Intel chipset platforms, continue to highlight the risks companies may face from vulnerabilities in key technology products.

Firmware Threats
The most significant of these supply chain threats is found in firmware-based malware. Firmware-level threats are exceptionally difficult to combat because security firms and corporate end users often lack visibility into this code and therefore do not know exactly what is running on these devices.

Almost all embedded devices use a proprietary operating system that excludes user access and input. Unlike Windows and macOS, in which the user is able to directly manage and see all of the running processes, the manufacturers of embedded devices retain total control over those devices and systems. In most cases, end users are not able to manage and/or repair those devices themselves. Even security patches often cannot be installed without calling the manufacturer for service.

To further complicate matters, the OS/firmware of each embedded device is often unique. These devices lack the uniformity and standardization that is found in other types of products, such as desktops, servers, and other networking gear.

These threats are most likely to be contained within signed code inside the firmware as they originate from the seemingly legitimate supply chain. Implants, backdoors, remote networking channels, hard-coded passwords, debug mode, etc., could be lurking in what appears to be legitimate code. Firmware over-the-air updates are another risk, as they could be used maliciously by the vendor or simply be poorly implemented and thus vulnerable to compromise.

Persistent Implant Finder
The US Department of Homeland Security's Science & Technology Directorate (DHS S&T) is working with private industry on new efforts to analyze devices at the firmware level and detect hidden threats which could be exploited by a malicious actor.

One of the DHS S&T-funded technologies is a privately developed tool called Persistent Implant Finder (PIF). PIF automatically unpacks and analyzes device firmware to discover malicious implants and vulnerabilities. PIF has a modular design integrated for use with multiple firmware analyzers, including both device family-specific analyzers and generic analyzers. These firmware analyzers search for a variety of hidden implants, including password backdoors, active malware rootkits, and network service backdoors. PIF was developed for compatibility with the industry's network vulnerability-scanning products and services.

Using the PIF malware test bed, we have already uncovered multiple suspect devices, including a point-of-sale (PoS) system and a smart watch in which suspicious software was pre-installed at the vendor level and is capable of installing firmware updates and communicating user data to unknown parties.

In the case of the PoS device, its pre-installed app actively reaches out to the Adups.com domain, which previously has been caught exfiltrating sensitive data, including text messages from Android phones. PIF detected capabilities in this PoS device that are similar to what was cited by Kryptowire in a 2016 report, when analyzing Shanghai Adups Technology Co. Ltd.'s firmware on low-cost Android phones. The pre-installed PoS app that PIF analyzed has full root privilege and is capable of gathering extensive user data from this device, and it is actively communicating back to a foreign-based server through an encrypted channel.

Mitigating Supply Chain Threats
The threat of vendor-supplied malware is difficult for organizations to confront unless they are able to unpack and analyze the device's firmware, either with an automated tool like PIF or penetration testing. Companies should strongly consider conducting this type of in-depth security analysis of the technologies they rely upon.

Most importantly, companies should limit their technology purchases to reputable manufacturers only. That means avoiding acquisitions through resellers and other third-party agencies or websites, where it is more difficult to tell the true origin, authenticity, and security of a device. Companies that require a higher level of security may want to consider going one step further by limiting their purchases to General Services Administration–approved vendors.

Additionally, it is always important to implement a defense-in-depth approach. This includes network segmentation, employee access control, strong password policies, reducing or eliminating remote access, utilizing strong encryption, and separating sensitive networks with proper air-gapping. Auditing third-party contractors is also critical.

Conclusion
Vendor-supplied malware is a threat that has been largely overlooked. Between the increase in supply chain diversification and state-sponsored cyber espionage, it is critical for companies to understand how they might be exposed to this risk.

Defending against firmware-level threats isn't easy unless the company is able to analyze the firmware itself. However, companies should also use a layered security program to reduce their overall risk.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dr. Ang Cui is the founder and CEO of Red Balloon Security in New York City, and a PI on DARPA LADS, as well as various other government agency funded research efforts. Dr. Cui is the inventor of Symbiote, a firmware defense technology for embedded devices, and FRAK, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.