Electronic supply chains, in many ways, are in the eye of a perfect security storm. The number of potential security breaches is massive compared to many other industries when considering how a tightly integrated supply chain involves a complex network of users and partners, many of whom can be on different continents. Information is often shared with third- and even fourth-party partners, each of which has its own supplier network.
It should thus come as no surprise that attacks can be a daily occurrence for electronics suppliers. Avnet, for example, says intruders seek access to its networks 1,000 times a day on average.
And if over-the-Internet attacks were not already enough to worry about, malware-infected devices are becoming an increasing threat. While difficult to quantify, the number of reported incidents and vulnerabilities associated with these kinds of attacks has increased, according to Verizon's “2013 Data Breach Investigation Report.”
Embedded malware attacks are especially insidious since they often take place behind the firewall. They can happen when harmful code is embedded in a device by a dishonest worker onsite or when an OEM procures an infected device that is part of a large batch of other components. When the code is embedded in the firmware, it can remain undetected by network intrusion monitoring software until the product is shipped and the Trojan begins its attack.
Among perhaps tens of thousands of components in a supplier's inventory, it only takes one or just a few devices to unleash network attacks once they are in the customers' hands. Regardless of who is legally liable, the breach can become a security nightmare for the firm associated with the attack.
One such incident that illustrates the toll an embedded attack can take (not to mention the bad PR that goes along with it) came into the public sphere after a few of Dell’s server motherboards were infected. Without quantifying the exact number of devices that were compromised, Dell reported that the maximum exposure level of its PowerEdge R310, PowerEdge R410, PowerEdge R510, and PowerEdge T410 servers was less than 1 percent, but said it could contain malware embedded in the firmware.
Once in the channel or in customers' hands, electronic devices still remain vulnerable to firmware attacks. The Linux.Darlloz worm, for example, began to infect different types of Linux devices with Intel x86 CPUs last year. The virus attacks routers, set-top boxes, digital cameras, and other devices by exploiting a PHP vulnerability.
OEMs usually allow for firmware updates to take place remotely over the Internet after their products are shipped, but the problem is that this capability can also create vulnerabilities. Columbia University researchers have demonstrated, for example, how to embed and exploit malicious code using firmware update features that HP ink jet printers offer. The researchers also demonstrated how remotely correcting the vulnerabilities and initiating other security fixes could remedy the problem.
Protecting devices from embedded code attacks should, of course, be one of many important security practices OEMs already have in place. They are also one of many other threats that include SQL injection, denial of service, social engineering, and other attacks.
But while every OEM should protect its devices against embedded attacks, Joseph Malec, a senior independent security analyst and Fellow at the Information Systems Security Association, believes that some are not taking action as they should. Among hundreds of audits he has conducted at firms ranging from mom-and-pop operations to Fortune 500 companies, Malec says some OEMs do not even change default passwords before shipping their products.
But ultimately, the onus is on the OEM that produces products that are distributed through retail channels, Malec told EBN in an interview. “The responsibility of hardening firmware devices is the responsibility of the purchasing company,” he said.
Let us know how concerned you are about OEM cybersecurity in the comments section below.