Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/24/2018
02:30 PM
Ang Cui
Ang Cui
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Tackling Supply Chain Threats

Vendor-supplied malware is a threat that has been largely overlooked. That has to change.

The technology products that drive today's businesses are increasingly produced through a highly diversified and complex international supply chain. Whether it is standard networking gear or a more specialized device like a human-machine interface or remote terminal unit, equipment is often developed through an elaborate web of OEMs, chip makers, parts suppliers, software/hardware designers, and outsourced production facilities. This makes it difficult to audit device security and introduces many opportunities for bad actors to make malicious changes to the hardware or software of the equipment.

Supply chain risks have come into greater focus recently, particularly after the Defense Authorization Act included a ban on the use of certain foreign-made telecommunications equipment by US government agencies and contractors. Other recent incidents, like the discovery of the Spectre and Meltdown computer chip flaws and a hidden Management Engine in Intel chipset platforms, continue to highlight the risks companies may face from vulnerabilities in key technology products.

Firmware Threats
The most significant of these supply chain threats is found in firmware-based malware. Firmware-level threats are exceptionally difficult to combat because security firms and corporate end users often lack visibility into this code and therefore do not know exactly what is running on these devices.

Almost all embedded devices use a proprietary operating system that excludes user access and input. Unlike Windows and macOS, in which the user is able to directly manage and see all of the running processes, the manufacturers of embedded devices retain total control over those devices and systems. In most cases, end users are not able to manage and/or repair those devices themselves. Even security patches often cannot be installed without calling the manufacturer for service.

To further complicate matters, the OS/firmware of each embedded device is often unique. These devices lack the uniformity and standardization that is found in other types of products, such as desktops, servers, and other networking gear.

These threats are most likely to be contained within signed code inside the firmware as they originate from the seemingly legitimate supply chain. Implants, backdoors, remote networking channels, hard-coded passwords, debug mode, etc., could be lurking in what appears to be legitimate code. Firmware over-the-air updates are another risk, as they could be used maliciously by the vendor or simply be poorly implemented and thus vulnerable to compromise.

Persistent Implant Finder
The US Department of Homeland Security's Science & Technology Directorate (DHS S&T) is working with private industry on new efforts to analyze devices at the firmware level and detect hidden threats which could be exploited by a malicious actor.

One of the DHS S&T-funded technologies is a privately developed tool called Persistent Implant Finder (PIF). PIF automatically unpacks and analyzes device firmware to discover malicious implants and vulnerabilities. PIF has a modular design integrated for use with multiple firmware analyzers, including both device family-specific analyzers and generic analyzers. These firmware analyzers search for a variety of hidden implants, including password backdoors, active malware rootkits, and network service backdoors. PIF was developed for compatibility with the industry's network vulnerability-scanning products and services.

Using the PIF malware test bed, we have already uncovered multiple suspect devices, including a point-of-sale (PoS) system and a smart watch in which suspicious software was pre-installed at the vendor level and is capable of installing firmware updates and communicating user data to unknown parties.

In the case of the PoS device, its pre-installed app actively reaches out to the Adups.com domain, which previously has been caught exfiltrating sensitive data, including text messages from Android phones. PIF detected capabilities in this PoS device that are similar to what was cited by Kryptowire in a 2016 report, when analyzing Shanghai Adups Technology Co. Ltd.'s firmware on low-cost Android phones. The pre-installed PoS app that PIF analyzed has full root privilege and is capable of gathering extensive user data from this device, and it is actively communicating back to a foreign-based server through an encrypted channel.

Mitigating Supply Chain Threats
The threat of vendor-supplied malware is difficult for organizations to confront unless they are able to unpack and analyze the device's firmware, either with an automated tool like PIF or penetration testing. Companies should strongly consider conducting this type of in-depth security analysis of the technologies they rely upon.

Most importantly, companies should limit their technology purchases to reputable manufacturers only. That means avoiding acquisitions through resellers and other third-party agencies or websites, where it is more difficult to tell the true origin, authenticity, and security of a device. Companies that require a higher level of security may want to consider going one step further by limiting their purchases to General Services Administration–approved vendors.

Additionally, it is always important to implement a defense-in-depth approach. This includes network segmentation, employee access control, strong password policies, reducing or eliminating remote access, utilizing strong encryption, and separating sensitive networks with proper air-gapping. Auditing third-party contractors is also critical.

Conclusion
Vendor-supplied malware is a threat that has been largely overlooked. Between the increase in supply chain diversification and state-sponsored cyber espionage, it is critical for companies to understand how they might be exposed to this risk.

Defending against firmware-level threats isn't easy unless the company is able to analyze the firmware itself. However, companies should also use a layered security program to reduce their overall risk.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dr. Ang Cui is the founder and CEO of Red Balloon Security in New York City, and a PI on DARPA LADS, as well as various other government agency funded research efforts. Dr. Cui is the inventor of Symbiote, a firmware defense technology for embedded devices, and FRAK, a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23351
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...