Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:08 PM

Supply Chain Uncertainties Complicate Security

Los Alamos National Laboratory's move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage

Supply-chain security has become a growing concern for national governments and large enterprises, but the degree to which compromised technology is a threat remains uncertain, especially since backdoors are hard to detect and, once found, deniable.

In November, the acting chief information officer of Los Alamos National Laboratory reported in a letter to the National Nuclear Security Administration that the lab's technicians had removed two network switches made by a subsidiary of network giant Huawei Technologies, based in Hangzhou, China, according to a Reuters report published earlier this month. The letter came after the House Armed Service Committee requested information on supply-chain risks from the Department of Energy.

In ditching the Chinese hardware, LANL took a standard strategy to attempt to add greater security to the supply chain: Use only trusted suppliers. But the strategy does not guarantee that a compromised product will not make it into an organization's infrastructure.

"If you pull a router off the shelf and you look at all the manufacturers involved in the creation of that product -- it's like buying a computer that is totally from the U.S. -- it's hard to do that," says Andrew Howard, a research scientist at the Georgia Tech Research Institute's cybertechnology lab.

The number of manufacturers involved in creating a hardware product tends to be unmanageably large. It is likewise difficult to track the number of developers who had a hand in creating a particular program, which often includes open-source components.

In addition, products that have been compromised somewhere in the supply chain are hard to detect because the hidden functionality in the devices is well-camouflaged. The most interesting products to modify is information technology that handles data of interest, especially routers and switches. In most cases, an attacker could add specific functions to the device's firmware, hiding it quite effectively and -- if done correctly -- masking it as an undiscovered vulnerability or debugging feature.

In May, for example, a security researcher found a backdoor in ZTE's Metro PCS Android package, which would have allowed any binary to be installed on the system. Whether the vulnerability was functionality left over from development or an intentional backdoor remains unanswered.

Determining the intent of such functionality is difficult, says Torsten George, vice president of marketing and products at integrated risk management vendor Agiliance. "The distinction between a ... backdoor and a bug is often razor-thin," he says.

In a talk at the Black Hat Security Conference in July, security researcher Jonathan Brossard demonstrated nearly undetectable functions that could hide in the firmware and be nearly impossible to remove.

"No company has the knowledge to detect those kind of attacks," he says. "I have received a few emails since my Black Hat talks from people claiming to be infected at BIOS level. I have yet to see any convincing proof, though, but I do not exclude the possibility that such things are happening and will only be discovered after many years."

Despite those uncertainties, supply-chain security has become a major issue among governments. Last year, Chinese and American think-tanks, which frequently air issues as proxies for those nation's governments, identified the supply-chain security problem as intractable and unlikely to be solved by diplomacy. In October, the House Select Committee on Intelligence published a report that recommended U.S. companies avoid Chinese networking hardware.

[Vulnerable technology supply chains have become a concern of security professionals and politicians alike, but a few steps could help minimize the possibility of attacks. See Preventing Infrastructure From Becoming An Insider Attack.]

"Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE, a Chinese handset maker, or Huawei for equipment or services," the report stated. "U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects."

Given that backdoors can look like inadvertent vulnerabilities and that subtle bugs in firmware are hard to detect, detecting potentially malicious devices takes a great deal of technical resources and money, says GTRI's Howard.

Companies should make sure they conduct audits of their suppliers and hold them to the same standards, he says. More risk-adverse organizations should create a trusted version of firmware and flash all new hardware with the software. Finally, the security team should monitor the devices for strange behavior, including occasionally pulling devices from the network and inspecting them as well as analyzing network traffic for any communications that appear uncharacteristic. Both tasks are time-consuming, expensive, and not sure to catch malicious behavior.

For that reason, the concerns have to be tempered by an assessment of the reasonable threats that an organization faces, GTRI's Howard says.

"I view this as another risk that has to be mitigated," he says. "I think this should be on a top-10 list, but risks one though nine might be more cost-effective."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
1/27/2013 | 7:02:09 PM
re: Supply Chain Uncertainties Complicate Security
I'm surprised that there aren't more reader comments posted here. Considering how much industrial espionnage & other hacking comes out of China, and how much the Chinese government monitors internet traffic within China, it is highly improbable that-the sources of that-industrial espionnage are not known to Chinese authorities. So, we must deduce that they operate with at least the tacit permission of the government, if not with active assistance & encouragement. Given the escalation of attack sophistication, which implies very professional & well-funded teams of specialists at work every day, it is logical for the highest security enterprises to look at their network infrastructure devices with a heightened sense of skepticism since they are the likely next frontier of targeted exploits. This is the essential flaw in "The Information Age" - private knowledge is-power only if it remains a secret, and secrets are impossible to maintain for long-in an internet-connected world. Therefore, real power comes from ownership of the means of production - The Supply Chain itself, since it makes money by making & selling "actual things" regardless of who claims ownership of the intellectual property behind those things. By the time IP ownership claims percolate thru the global trade & legal systems, manufacturers may already be leveraging newly stolen IP into new products using new company names. In this game of cat & mouse, it is "advantage cat" every time...
User Rank: Ninja
1/24/2013 | 7:24:46 PM
re: Supply Chain Uncertainties Complicate Security
No kidding, we really don't think we can just look at the traffic and determine if it is normal?-
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.
PUBLISHED: 2020-05-28
Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 through, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P.
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.
PUBLISHED: 2020-05-28
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted...