With all the attention on counterfeit electronic components, it's easy to overlook the vulnerabilities of other supply chains in the computing industry.
In a previous blog post, I summarized a Gartner report that calls attention to the importance of investigating the supply chains of software, services, and even data. The report warns that the “IT supply chain” has become alarmingly insecure. (See IT Needs More Careful Sourcing.)
One example it gives is the admission in May 2012 by Chinese mobile phone maker ZTE that one model of its Android phone had a back door installed in its software. The back door, which was found only in smartphones shipped to the United States, allowed installation of arbitrary applications and full access to any data stored on the phone. There could be other smartphones with similar vulnerabilities, says the report. “There is no way to know whether this is the first or only back door or just the tip of the iceberg.”
of its Android phone had a back door installed in its software.
To protect against such hacks, corporations need to institute a formal IT supply chain risk-management program, including investigation into the robustness of software update mechanisms, says the report. For smartphones, in particular, it recommends asking all hardware and software suppliers for specifics on how they update firmware and software, including:
- How are updates performed?
- Are they pushed or pulled?
- What channel do they use and from what location?
- Can your company block updates and coordinate them centrally?
- How is authentication performed?
- What type of certificates are used and how are they managed?
- How is the integrity of the user's conversation protected?
- If the platform (such as Google's Android) provides a way to update the code, why isn't it being used?
The Gartner report notes that just because this happened in a ZTE phone doesn't necessarily mean that the company had a nefarious motive. Indeed, the back door could have been “developed and installed by a disgruntled or rogue employee, assuming he or she circumvented source-code control and deployment management systems.”
Or maybe it didn't come from ZTE at all. The Economist reported recently that when an American telecommunications company investigated a Chinese company acquired by one of the American company's vendors, it found the Chinese company to be clean. However, it turned out that the Chinese company was outsourcing software development to a firm that turned out to be a front for Russian intelligence.
That's a perfect example of the why today's convoluted IT supply chain is increasingly insecure. The Gartner report says software supply chains can be easy targets because of:
- Increased use of outsourced software development. Even if a company uses its own developers, many use third-party libraries and frameworks that include open-source software, which can be vulnerable.
- Increasingly active code at many layers. The use of software-based platforms atop operating systems provides new opportunities to insert back doors and vulnerabilities.
- Content itself can be used to attack. Exploits against hidden application-layer vulnerabilities can change an innocent piece of code into an attack vector.
Are you doing what you should to ensure the integrity of your software supply chain?