Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/24/2018
02:30 PM
Ang Cui
Ang Cui
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Tackling Supply Chain Threats

Vendor-supplied malware is a threat that has been largely overlooked. That has to change.

The technology products that drive today's businesses are increasingly produced through a highly diversified and complex international supply chain. Whether it is standard networking gear or a more specialized device like a human-machine interface or remote terminal unit, equipment is often developed through an elaborate web of OEMs, chip makers, parts suppliers, software/hardware designers, and outsourced production facilities. This makes it difficult to audit device security and introduces many opportunities for bad actors to make malicious changes to the hardware or software of the equipment.

Supply chain risks have come into greater focus recently, particularly after the Defense Authorization Act included a ban on the use of certain foreign-made telecommunications equipment by US government agencies and contractors. Other recent incidents, like the discovery of the Spectre and Meltdown computer chip flaws and a hidden Management Engine in Intel chipset platforms, continue to highlight the risks companies may face from vulnerabilities in key technology products.

Firmware Threats
The most significant of these supply chain threats is found in firmware-based malware. Firmware-level threats are exceptionally difficult to combat because security firms and corporate end users often lack visibility into this code and therefore do not know exactly what is running on these devices.

Almost all embedded devices use a proprietary operating system that excludes user access and input. Unlike Windows and macOS, in which the user is able to directly manage and see all of the running processes, the manufacturers of embedded devices retain total control over those devices and systems. In most cases, end users are not able to manage and/or repair those devices themselves. Even security patches often cannot be installed without calling the manufacturer for service.

To further complicate matters, the OS/firmware of each embedded device is often unique. These devices lack the uniformity and standardization that is found in other types of products, such as desktops, servers, and other networking gear.

These threats are most likely to be contained within signed code inside the firmware as they originate from the seemingly legitimate supply chain. Implants, backdoors, remote networking channels, hard-coded passwords, debug mode, etc., could be lurking in what appears to be legitimate code. Firmware over-the-air updates are another risk, as they could be used maliciously by the vendor or simply be poorly implemented and thus vulnerable to compromise.

Persistent Implant Finder
The US Department of Homeland Security's Science & Technology Directorate (DHS S&T) is working with private industry on new efforts to analyze devices at the firmware level and detect hidden threats which could be exploited by a malicious actor.

One of the DHS S&T-funded technologies is a privately developed tool called Persistent Implant Finder (PIF). PIF automatically unpacks and analyzes device firmware to discover malicious implants and vulnerabilities. PIF has a modular design integrated for use with multiple firmware analyzers, including both device family-specific analyzers and generic analyzers. These firmware analyzers search for a variety of hidden implants, including password backdoors, active malware rootkits, and network service backdoors. PIF was developed for compatibility with the industry's network vulnerability-scanning products and services.

Using the PIF malware test bed, we have already uncovered multiple suspect devices, including a point-of-sale (PoS) system and a smart watch in which suspicious software was pre-installed at the vendor level and is capable of installing firmware updates and communicating user data to unknown parties.

In the case of the PoS device, its pre-installed app actively reaches out to the Adups.com domain, which previously has been caught exfiltrating sensitive data, including text messages from Android phones. PIF detected capabilities in this PoS device that are similar to what was cited by Kryptowire in a 2016 report, when analyzing Shanghai Adups Technology Co. Ltd.'s firmware on low-cost Android phones. The pre-installed PoS app that PIF analyzed has full root privilege and is capable of gathering extensive user data from this device, and it is actively communicating back to a foreign-based server through an encrypted channel.

Mitigating Supply Chain Threats
The threat of vendor-supplied malware is difficult for organizations to confront unless they are able to unpack and analyze the device's firmware, either with an automated tool like PIF or penetration testing. Companies should strongly consider conducting this type of in-depth security analysis of the technologies they rely upon.

Most importantly, companies should limit their technology purchases to reputable manufacturers only. That means avoiding acquisitions through resellers and other third-party agencies or websites, where it is more difficult to tell the true origin, authenticity, and security of a device. Companies that require a higher level of security may want to consider going one step further by limiting their purchases to General Services Administration–approved vendors.

Additionally, it is always important to implement a defense-in-depth approach. This includes network segmentation, employee access control, strong password policies, reducing or eliminating remote access, utilizing strong encryption, and separating sensitive networks with proper air-gapping. Auditing third-party contractors is also critical.

Conclusion
Vendor-supplied malware is a threat that has been largely overlooked. Between the increase in supply chain diversification and state-sponsored cyber espionage, it is critical for companies to understand how they might be exposed to this risk.

Defending against firmware-level threats isn't easy unless the company is able to analyze the firmware itself. However, companies should also use a layered security program to reduce their overall risk.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dr. Ang Cui is the founder and CEO of Red Balloon Security in New York City, and a PI on DARPA LADS, as well as various other government agency funded research efforts. Dr. Cui is the inventor of Symbiote, a firmware defense technology for embedded devices, and FRAK, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5098
PUBLISHED: 2019-12-05
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. A specially crafted pixel shader can cause out-of-bounds memory read. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be trigger...
CVE-2012-1104
PUBLISHED: 2019-12-05
A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
CVE-2019-17387
PUBLISHED: 2019-12-05
An authentication flaw in the AVPNC_RP service in Aviatrix VPN Client through 2.2.10 allows an attacker to gain elevated privileges through arbitrary code execution on Windows, Linux, and macOS.
CVE-2019-17388
PUBLISHED: 2019-12-05
Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modifications.
CVE-2019-18381
PUBLISHED: 2019-12-05
Norton Password Manager, prior to 6.6.2.5, may be susceptible to a cross origin resource sharing (CORS) vulnerability, which is a type of issue that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.