OEMs Face a Virus Dilemma

Electronic supply chains, in many ways, are in the eye of a perfect security storm. The number of potential security breaches is massive compared to many other industries when considering how a tightly integrated supply chain involves a complex network of users and partners, many of whom can be on different continents. Information is often shared with third- and even fourth-party partners, each of which has its own supplier network.

It should thus come as no surprise that attacks can be a daily occurrence for electronics suppliers. Avnet, for example, says intruders seek access to its networks 1,000 times a day on average.

And if over-the-Internet attacks were not already enough to worry about, malware-infected devices are becoming an increasing threat. While difficult to quantify, the number of reported incidents and vulnerabilities associated with these kinds of attacks has increased, according to Verizon's “2013 Data Breach Investigation Report.”

Embedded malware attacks are especially insidious since they often take place behind the firewall. They can happen when harmful code is embedded in a device by a dishonest worker onsite or when an OEM procures an infected device that is part of a large batch of other components. When the code is embedded in the firmware, it can remain undetected by network intrusion monitoring software until the product is shipped and the Trojan begins its attack.

Among perhaps tens of thousands of components in a supplier's inventory, it only takes one or just a few devices to unleash network attacks once they are in the customers' hands. Regardless of who is legally liable, the breach can become a security nightmare for the firm associated with the attack.

One such incident that illustrates the toll an embedded attack can take (not to mention the bad PR that goes along with it) came into the public sphere after a few of Dell’s server motherboards were infected. Without quantifying the exact number of devices that were compromised, Dell reported that the maximum exposure level of its PowerEdge R310, PowerEdge R410, PowerEdge R510, and PowerEdge T410 servers was less than 1 percent, but said it could contain malware embedded in the firmware.

Once in the channel or in customers' hands, electronic devices still remain vulnerable to firmware attacks. The Linux.Darlloz worm, for example, began to infect different types of Linux devices with Intel x86 CPUs last year. The virus attacks routers, set-top boxes, digital cameras, and other devices by exploiting a PHP vulnerability.

OEMs usually allow for firmware updates to take place remotely over the Internet after their products are shipped, but the problem is that this capability can also create vulnerabilities. Columbia University researchers have demonstrated, for example, how to embed and exploit malicious code using firmware update features that HP ink jet printers offer. The researchers also demonstrated how remotely correcting the vulnerabilities and initiating other security fixes could remedy the problem.

Protecting devices from embedded code attacks should, of course, be one of many important security practices OEMs already have in place. They are also one of many other threats that include SQL injection, denial of service, social engineering, and other attacks.

But while every OEM should protect its devices against embedded attacks, Joseph Malec, a senior independent security analyst and Fellow at the Information Systems Security Association, believes that some are not taking action as they should. Among hundreds of audits he has conducted at firms ranging from mom-and-pop operations to Fortune 500 companies, Malec says some OEMs do not even change default passwords before shipping their products.

But ultimately, the onus is on the OEM that produces products that are distributed through retail channels, Malec told EBN in an interview. “The responsibility of hardening firmware devices is the responsibility of the purchasing company,” he said.

Let us know how concerned you are about OEM cybersecurity in the comments section below.

6 comments on “OEMs Face a Virus Dilemma

    January 23, 2014

    Although 1% does not sound like a large percentage it would equate to a significant number of infected products given the quantities that Dell ships.  This was a worrying article to read and something we should all be wary of.

  2. t.alex
    January 23, 2014

    Virus is going deeper and deeper into the system. When they are embedded into the firmware, how would a normal AV scanner detect ?

  3. Bruce Gain
    January 23, 2014

    The idea is that OEMs can take certain measures to ward off such attacks. However, the first step is awareness.

  4. Hailey Lynne McKeefry
    January 24, 2014

    @FlyingScott, added to that worry is the reality that viruses are getting smarter so that they can propigate more readily. They are sometimes able to hide in systems for  years undetected or remove themselves after getting the data they want. It's getting harder to spot and remove malware.

  5. Hailey Lynne McKeefry
    January 24, 2014

    @Bruce, awareness is a big first step. OEMs are quite used to having siloed systems, but as the supply chain has expnded and electronic exchange has become the norm, there are an increasing number of attack vectors. Added to that is that organizations that have successfully eluded an attack don't want to give away their secret to succes; and the ones who have been hit don't want to admit it for fear of tarnishing their corporate brand.

  6. Eldredge
    January 24, 2014

    As a consumer, my perceived security concerns have been toward internet connected hardware. Embedded viruses already residing in hardware had not been a consideration – but it is a clever and insidious approach.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.