Advertisement

Blog

CIA’s WikiLeaks Exposure Offers Good News for Supply Chains

Now that OEMs have had time to digest the news about WikiLeaks’ disclosure of the CIA’s alleged massive malware project, their worst fears have been confirmed: OEMs have been shipping Internet of Things (IoT) products with gaping security holes for a long time.

Many, if not most, OEMs’ supply chains remain exposed, even after WikiLeaks’ Vault 7 clearly details how they are at risk and what they need to do to protect themselves. More recently, Vault 7 revealed ways the CIA has used to hide its embedded malware called Marble, which in turn, could be used by bad guys to mask their exploitive attacks.   

What can OEMs do to protect their supply chains against the threat? Actually, a lot.

Why? In this case, WikiLeaks has handed OEMs a tutorial on how their Internet of Things (IoT) electronics devices are vulnerable. On a very basic level, they can use this information to their advantage by making their devices more secure.

However, as far as many of these vulnerabilities go, security experts, of course, have known about these kinds of threats for a long time. Any network security professional or black hat hacker who steals data for personal gain could hardly be stunned by the development.

For a black hat or state-sponsored privateer hacker who feigned surprise to learn state-sponsored malware from WikiLeaks’ Vault 7 existed was like the disbelief of the corrupt French police commissioner in the classic film “Casablanca.” In that famous scene, the police commissioner, played by Claude Rains, tells Rick, played by the iconic actor Humphrey Bogart; he was “shocked” to see gambling taking place at Rick’s Café–just before receiving his winnings for the night.

Many security experts and consultants have sounded the alarm about how inherently insecure IoT and other electronics devices are. For them, the WikiLeaks’ disclosure about the alleged CIA-created malware serves as a day of reckoning in many ways. While it has not been fully established that the CIA has been using its Zero Day exploits to steal intellectual property (the CIA will not comment), other foreign governments, and especially, privateer hackers, have been developing and using similar tools to steal intellectual property and compromise networks for a long time, security analysts say. In many ways, the WikiLeaks’ CIA story is just additional proof to back what security experts have been saying for a long time.  

Now, with such blatant evidence of what they risk before them, OEMs have some very good reasons for why they should invest more resources to protect their supply chains and intellectual property from data theft.  

“OEMs have been shipping flawed and vulnerable devices for years, and thereby burdening consumers with unrequested security risk, because manufacturers lack accountability and incentives to incorporate security-by-design,” James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), told EBN.  

Now, with such blatant evidence of what they risk before them, OEMs have some very good reasons for why they should invest more resources to protect their supply chains and intellectual property from data theft.  

“OEMs have been shipping flawed and vulnerable devices for years, and thereby burdening consumers with unrequested security risk, because manufacturers lack accountability and incentives to incorporate security-by-design,” James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), told EBN.  

Big reach

The scope of the hacker’s treasure trove of WikiLeaks’ Vault 7 remains formidable. If WikiLeaks’ publication of the data is indeed authentic, over 5,000 CIA user accounts had access to the hacking tools. It includes thousands of ways to expose data by using over one thousand viruses, spyware, trojans, and other malware outlined in almost 9,000 documents and files.

“The CIA had created, in effect, its own NSA,” WikiLeaks said in a statement.

Many of the vulnerable devices described in Vault 7 have been fixed, such as those described for the millions of Apple devices sold. However, many OEM devices remain at risk to the extent that anyone can follow the instructions described in Vault 7 to steal data or cause other harm.

“The most significant and arguably underreported aspect of the Vault 7 data dump was the public disclosure of a number of inherently vulnerable IoT devices ranging from TVs to automated cars, many of which remain unmitigated by the OEM after disclosure. Individuals and industries that use these devices were vulnerable before Vault 7 and are left even more vulnerable afterward,” Scott said. “Adversaries can exploit inherent vulnerabilities in IoT devices.”

These vulnerabilities included gaining access to the overall network, laterally compromising other devices, extracting sensitive data such as intellectual property, inciting a cyber-kinetic effect, disrupting daily operations, altering stored data, and other risks, Scott said.

The fix

OEMs can best protect their supply chains and their consumers from security risks by incorporating security-by-design throughout the lifecycle of the device according to NIST 800-160, Scott said. “OEMs currently do not include security because they believe that rushing to market garners a competitive edge and because many still naively believe that security should only be an afterthought investment pulled together with the last dregs of the budget, at the last minute of production, if it is included at all,” Scott said. “OEMs need to change their perspectives to a risk assessment approach that equates device security risk and harms against security investments in objective economic terms.”

The decision to invest in security-by-design throughout the lifecycle of devices should now be obvious. Supply chains, of course, stand to benefit as well as consumers who will receive better devices with improved security, Scott said. “In exchange, OEMs will improve their reputations, decrease legal costs, increase product reliability and sustainable lifetimes, etc.” 

1 comment on “CIA’s WikiLeaks Exposure Offers Good News for Supply Chains

  1. michaelmaloney
    August 23, 2018

    And you know what the sad thing about all of this is? It's why we can't have nice things! We're all getting excited about the IoT systems and being able to get this kind of efficiency and capability installed in our own homes and offices, then we have to remember that it's going to be just as costly to set up a security framework around our own IoT in order for any of the communication lines to be effective. If only we could just trust the world to not want to steal our information….

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.