Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/23/2013
11:08 PM
50%
50%

Supply Chain Uncertainties Complicate Security

Los Alamos National Laboratory's move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage

Supply-chain security has become a growing concern for national governments and large enterprises, but the degree to which compromised technology is a threat remains uncertain, especially since backdoors are hard to detect and, once found, deniable.

In November, the acting chief information officer of Los Alamos National Laboratory reported in a letter to the National Nuclear Security Administration that the lab's technicians had removed two network switches made by a subsidiary of network giant Huawei Technologies, based in Hangzhou, China, according to a Reuters report published earlier this month. The letter came after the House Armed Service Committee requested information on supply-chain risks from the Department of Energy.

In ditching the Chinese hardware, LANL took a standard strategy to attempt to add greater security to the supply chain: Use only trusted suppliers. But the strategy does not guarantee that a compromised product will not make it into an organization's infrastructure.

"If you pull a router off the shelf and you look at all the manufacturers involved in the creation of that product -- it's like buying a computer that is totally from the U.S. -- it's hard to do that," says Andrew Howard, a research scientist at the Georgia Tech Research Institute's cybertechnology lab.

The number of manufacturers involved in creating a hardware product tends to be unmanageably large. It is likewise difficult to track the number of developers who had a hand in creating a particular program, which often includes open-source components.

In addition, products that have been compromised somewhere in the supply chain are hard to detect because the hidden functionality in the devices is well-camouflaged. The most interesting products to modify is information technology that handles data of interest, especially routers and switches. In most cases, an attacker could add specific functions to the device's firmware, hiding it quite effectively and -- if done correctly -- masking it as an undiscovered vulnerability or debugging feature.

In May, for example, a security researcher found a backdoor in ZTE's Metro PCS Android package, which would have allowed any binary to be installed on the system. Whether the vulnerability was functionality left over from development or an intentional backdoor remains unanswered.

Determining the intent of such functionality is difficult, says Torsten George, vice president of marketing and products at integrated risk management vendor Agiliance. "The distinction between a ... backdoor and a bug is often razor-thin," he says.

In a talk at the Black Hat Security Conference in July, security researcher Jonathan Brossard demonstrated nearly undetectable functions that could hide in the firmware and be nearly impossible to remove.

"No company has the knowledge to detect those kind of attacks," he says. "I have received a few emails since my Black Hat talks from people claiming to be infected at BIOS level. I have yet to see any convincing proof, though, but I do not exclude the possibility that such things are happening and will only be discovered after many years."

Despite those uncertainties, supply-chain security has become a major issue among governments. Last year, Chinese and American think-tanks, which frequently air issues as proxies for those nation's governments, identified the supply-chain security problem as intractable and unlikely to be solved by diplomacy. In October, the House Select Committee on Intelligence published a report that recommended U.S. companies avoid Chinese networking hardware.

[Vulnerable technology supply chains have become a concern of security professionals and politicians alike, but a few steps could help minimize the possibility of attacks. See Preventing Infrastructure From Becoming An Insider Attack.]

"Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE, a Chinese handset maker, or Huawei for equipment or services," the report stated. "U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects."

Given that backdoors can look like inadvertent vulnerabilities and that subtle bugs in firmware are hard to detect, detecting potentially malicious devices takes a great deal of technical resources and money, says GTRI's Howard.

Companies should make sure they conduct audits of their suppliers and hold them to the same standards, he says. More risk-adverse organizations should create a trusted version of firmware and flash all new hardware with the software. Finally, the security team should monitor the devices for strange behavior, including occasionally pulling devices from the network and inspecting them as well as analyzing network traffic for any communications that appear uncharacteristic. Both tasks are time-consuming, expensive, and not sure to catch malicious behavior.

For that reason, the concerns have to be tempered by an assessment of the reasonable threats that an organization faces, GTRI's Howard says.

"I view this as another risk that has to be mitigated," he says. "I think this should be on a top-10 list, but risks one though nine might be more cost-effective."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Moderator
1/27/2013 | 7:02:09 PM
re: Supply Chain Uncertainties Complicate Security
I'm surprised that there aren't more reader comments posted here. Considering how much industrial espionnage & other hacking comes out of China, and how much the Chinese government monitors internet traffic within China, it is highly improbable that-the sources of that-industrial espionnage are not known to Chinese authorities. So, we must deduce that they operate with at least the tacit permission of the government, if not with active assistance & encouragement. Given the escalation of attack sophistication, which implies very professional & well-funded teams of specialists at work every day, it is logical for the highest security enterprises to look at their network infrastructure devices with a heightened sense of skepticism since they are the likely next frontier of targeted exploits. This is the essential flaw in "The Information Age" - private knowledge is-power only if it remains a secret, and secrets are impossible to maintain for long-in an internet-connected world. Therefore, real power comes from ownership of the means of production - The Supply Chain itself, since it makes money by making & selling "actual things" regardless of who claims ownership of the intellectual property behind those things. By the time IP ownership claims percolate thru the global trade & legal systems, manufacturers may already be leveraging newly stolen IP into new products using new company names. In this game of cat & mouse, it is "advantage cat" every time...
SgS125
50%
50%
SgS125,
User Rank: Ninja
1/24/2013 | 7:24:46 PM
re: Supply Chain Uncertainties Complicate Security
No kidding, we really don't think we can just look at the traffic and determine if it is normal?-
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27254
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encrypti...
CVE-2021-27255
PUBLISHED: 2021-03-05
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the refresh_status.aspx endpoint. The issue results from a lack of...
CVE-2021-27256
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists wit...
CVE-2021-27257
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via...
CVE-2021-26705
PUBLISHED: 2021-03-05
An issue was discovered in SquareBox CatDV Server through 9.2. An attacker can invoke sensitive RMI methods such as getConnections without authentication, the results of which can be used to generate valid authentication tokens. These tokens can then be used to invoke administrative tasks within the...