Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/24/2018
02:30 PM
Ang Cui
Ang Cui
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Tackling Supply Chain Threats

Vendor-supplied malware is a threat that has been largely overlooked. That has to change.

The technology products that drive today's businesses are increasingly produced through a highly diversified and complex international supply chain. Whether it is standard networking gear or a more specialized device like a human-machine interface or remote terminal unit, equipment is often developed through an elaborate web of OEMs, chip makers, parts suppliers, software/hardware designers, and outsourced production facilities. This makes it difficult to audit device security and introduces many opportunities for bad actors to make malicious changes to the hardware or software of the equipment.

Supply chain risks have come into greater focus recently, particularly after the Defense Authorization Act included a ban on the use of certain foreign-made telecommunications equipment by US government agencies and contractors. Other recent incidents, like the discovery of the Spectre and Meltdown computer chip flaws and a hidden Management Engine in Intel chipset platforms, continue to highlight the risks companies may face from vulnerabilities in key technology products.

Firmware Threats
The most significant of these supply chain threats is found in firmware-based malware. Firmware-level threats are exceptionally difficult to combat because security firms and corporate end users often lack visibility into this code and therefore do not know exactly what is running on these devices.

Almost all embedded devices use a proprietary operating system that excludes user access and input. Unlike Windows and macOS, in which the user is able to directly manage and see all of the running processes, the manufacturers of embedded devices retain total control over those devices and systems. In most cases, end users are not able to manage and/or repair those devices themselves. Even security patches often cannot be installed without calling the manufacturer for service.

To further complicate matters, the OS/firmware of each embedded device is often unique. These devices lack the uniformity and standardization that is found in other types of products, such as desktops, servers, and other networking gear.

These threats are most likely to be contained within signed code inside the firmware as they originate from the seemingly legitimate supply chain. Implants, backdoors, remote networking channels, hard-coded passwords, debug mode, etc., could be lurking in what appears to be legitimate code. Firmware over-the-air updates are another risk, as they could be used maliciously by the vendor or simply be poorly implemented and thus vulnerable to compromise.

Persistent Implant Finder
The US Department of Homeland Security's Science & Technology Directorate (DHS S&T) is working with private industry on new efforts to analyze devices at the firmware level and detect hidden threats which could be exploited by a malicious actor.

One of the DHS S&T-funded technologies is a privately developed tool called Persistent Implant Finder (PIF). PIF automatically unpacks and analyzes device firmware to discover malicious implants and vulnerabilities. PIF has a modular design integrated for use with multiple firmware analyzers, including both device family-specific analyzers and generic analyzers. These firmware analyzers search for a variety of hidden implants, including password backdoors, active malware rootkits, and network service backdoors. PIF was developed for compatibility with the industry's network vulnerability-scanning products and services.

Using the PIF malware test bed, we have already uncovered multiple suspect devices, including a point-of-sale (PoS) system and a smart watch in which suspicious software was pre-installed at the vendor level and is capable of installing firmware updates and communicating user data to unknown parties.

In the case of the PoS device, its pre-installed app actively reaches out to the Adups.com domain, which previously has been caught exfiltrating sensitive data, including text messages from Android phones. PIF detected capabilities in this PoS device that are similar to what was cited by Kryptowire in a 2016 report, when analyzing Shanghai Adups Technology Co. Ltd.'s firmware on low-cost Android phones. The pre-installed PoS app that PIF analyzed has full root privilege and is capable of gathering extensive user data from this device, and it is actively communicating back to a foreign-based server through an encrypted channel.

Mitigating Supply Chain Threats
The threat of vendor-supplied malware is difficult for organizations to confront unless they are able to unpack and analyze the device's firmware, either with an automated tool like PIF or penetration testing. Companies should strongly consider conducting this type of in-depth security analysis of the technologies they rely upon.

Most importantly, companies should limit their technology purchases to reputable manufacturers only. That means avoiding acquisitions through resellers and other third-party agencies or websites, where it is more difficult to tell the true origin, authenticity, and security of a device. Companies that require a higher level of security may want to consider going one step further by limiting their purchases to General Services Administration–approved vendors.

Additionally, it is always important to implement a defense-in-depth approach. This includes network segmentation, employee access control, strong password policies, reducing or eliminating remote access, utilizing strong encryption, and separating sensitive networks with proper air-gapping. Auditing third-party contractors is also critical.

Conclusion
Vendor-supplied malware is a threat that has been largely overlooked. Between the increase in supply chain diversification and state-sponsored cyber espionage, it is critical for companies to understand how they might be exposed to this risk.

Defending against firmware-level threats isn't easy unless the company is able to analyze the firmware itself. However, companies should also use a layered security program to reduce their overall risk.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dr. Ang Cui is the founder and CEO of Red Balloon Security in New York City, and a PI on DARPA LADS, as well as various other government agency funded research efforts. Dr. Cui is the inventor of Symbiote, a firmware defense technology for embedded devices, and FRAK, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...