Security flaws are “manufactured” into Internet-enabled devices

“Kill switches” and backdoors inserted at the point of manufacture could act as a conduit for organised criminals or foreign states to access internet-enabled devices. Specific vulnerabilities that are usually very hard to detect have been discovered in components used in some US systems, providing the first solid evidence that weak firmware exists in the US-China supply chain.

The theoretical threat, now a reality, is that flaws embedded in a device at the point of manufacture could be used to disable or extract data from it or to use the device as a launch point for an attack across the network to which it is attached. Consequently, it is now a real possibility that malware could be written to exploit the weaknesses hard-coded into components to carry out sophisticated targeted commercially or politically motivated attacks.

The warning follows revelations last week by the Homeland Security Department National Protection and Programs Directorate that instances of embedded flaws had occurred in US infrastructure.

In response to a line of questioning on whether imported devices posed a security or intellectual property risk, Greg Schaffer, Homeland Security’s Assistant Secretary of the Office of Cybersecurity and Communications, said “I am aware that there have been instances where that has happened.” His admission could mean that a wide range of electronic devices, from Internet-enabled TV’s to industrial control systems, are carrying embedded kill switches or backdoors.

A wealth of information is available to the manufacturer at the point of assembly, including the MAC address of the network interface card or the IMEI number of a mobile handset or smartphone.

With details of the component, the vulnerability, the unique identifier and the shipping destination, an organisation would have all the information necessary to carry out a successful attack and gain access to the hard drive or flash storage, as well as location-specific information on GPS-enabled devices, completely undetected.

Security flaws embedded at the point of manufacture could take sophisticated attacks to the next level, providing new techniques with which to target prominent individuals or organisations in order to obtain sensitive information or intellectual property. The flaws could also be key to future cyber-weapons that disable specific systems either temporarily or permanently.

More information is needed on precisely what anomalies have been found in the electronic supply chain stateside. This could be a nascent threat or one that is already being exploited on a large scale. One thing’s for certain: components in the UK supply chain will be affected given our reliance on electronic products imported from overseas.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Richard Walters is CTO of Web application security vendor SaaSID, prior to which Richard was CTO and Director of Business Development at Integralis, Europe's largest independent security integrator. Richard has a uniquely thorough understanding of risk management, standards, regulations and legislation such as ISO/IEC 27001/2, PCI DSS, and the DPA, after spending many years consulting with FTSE100 companies.