In November, the acting chief information officer of Los Alamos National Laboratory reported in a letter to the National Nuclear Security Administration that the lab's technicians had removed two network switches made by a subsidiary of network giant Huawei Technologies, based in Hangzhou, China, according to a Reuters report published earlier this month. The letter came after the House Armed Service Committee requested information on supply-chain risks from the Department of Energy.
In ditching the Chinese hardware, LANL took a standard strategy to attempt to add greater security to the supply chain: Use only trusted suppliers. But the strategy does not guarantee that a compromised product will not make it into an organization's infrastructure.
"If you pull a router off the shelf and you look at all the manufacturers involved in the creation of that product -- it's like buying a computer that is totally from the U.S. -- it's hard to do that," says Andrew Howard, a research scientist at the Georgia Tech Research Institute's cybertechnology lab.
The number of manufacturers involved in creating a hardware product tends to be unmanageably large. It is likewise difficult to track the number of developers who had a hand in creating a particular program, which often includes open-source components.
In addition, products that have been compromised somewhere in the supply chain are hard to detect because the hidden functionality in the devices is well-camouflaged. The most interesting products to modify is information technology that handles data of interest, especially routers and switches. In most cases, an attacker could add specific functions to the device's firmware, hiding it quite effectively and -- if done correctly -- masking it as an undiscovered vulnerability or debugging feature.
In May, for example, a security researcher found a backdoor in ZTE's Metro PCS Android package, which would have allowed any binary to be installed on the system. Whether the vulnerability was functionality left over from development or an intentional backdoor remains unanswered.
Determining the intent of such functionality is difficult, says Torsten George, vice president of marketing and products at integrated risk management vendor Agiliance. "The distinction between a ... backdoor and a bug is often razor-thin," he says.
In a talk at the Black Hat Security Conference in July, security researcher Jonathan Brossard demonstrated nearly undetectable functions that could hide in the firmware and be nearly impossible to remove.
"No company has the knowledge to detect those kind of attacks," he says. "I have received a few emails since my Black Hat talks from people claiming to be infected at BIOS level. I have yet to see any convincing proof, though, but I do not exclude the possibility that such things are happening and will only be discovered after many years."
Despite those uncertainties, supply-chain security has become a major issue among governments. Last year, Chinese and American think-tanks, which frequently air issues as proxies for those nation's governments, identified the supply-chain security problem as intractable and unlikely to be solved by diplomacy. In October, the House Select Committee on Intelligence published a report that recommended U.S. companies avoid Chinese networking hardware.
[Vulnerable technology supply chains have become a concern of security professionals and politicians alike, but a few steps could help minimize the possibility of attacks. See Preventing Infrastructure From Becoming An Insider Attack.]
"Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE, a Chinese handset maker, or Huawei for equipment or services," the report stated. "U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects."
Given that backdoors can look like inadvertent vulnerabilities and that subtle bugs in firmware are hard to detect, detecting potentially malicious devices takes a great deal of technical resources and money, says GTRI's Howard.
Companies should make sure they conduct audits of their suppliers and hold them to the same standards, he says. More risk-adverse organizations should create a trusted version of firmware and flash all new hardware with the software. Finally, the security team should monitor the devices for strange behavior, including occasionally pulling devices from the network and inspecting them as well as analyzing network traffic for any communications that appear uncharacteristic. Both tasks are time-consuming, expensive, and not sure to catch malicious behavior.
For that reason, the concerns have to be tempered by an assessment of the reasonable threats that an organization faces, GTRI's Howard says.
"I view this as another risk that has to be mitigated," he says. "I think this should be on a top-10 list, but risks one though nine might be more cost-effective."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.