Software Supply Chain’s Soft Underbelly

With all the attention on counterfeit electronic components, it's easy to overlook the vulnerabilities of other supply chains in the computing industry.

In a previous blog post, I summarized a Gartner report that calls attention to the importance of investigating the supply chains of software, services, and even data. The report warns that the “IT supply chain” has become alarmingly insecure. (See IT Needs More Careful Sourcing.)

One example it gives is the admission in May 2012 by Chinese mobile phone maker ZTE that one model of its Android phone had a back door installed in its software. The back door, which was found only in smartphones shipped to the United States, allowed installation of arbitrary applications and full access to any data stored on the phone. There could be other smartphones with similar vulnerabilities, says the report. “There is no way to know whether this is the first or only back door or just the tip of the iceberg.”

Trojan Horse?

Chinese mobile phone maker ZTE acknowledged that one model  of its Android phone had a back door installed in its software.

Chinese mobile phone maker ZTE acknowledged that one model
of its Android phone had a back door installed in its software.

To protect against such hacks, corporations need to institute a formal IT supply chain risk-management program, including investigation into the robustness of software update mechanisms, says the report. For smartphones, in particular, it recommends asking all hardware and software suppliers for specifics on how they update firmware and software, including:

  • How are updates performed?
  • Are they pushed or pulled?
  • What channel do they use and from what location?
  • Can your company block updates and coordinate them centrally?
  • How is authentication performed?
  • What type of certificates are used and how are they managed?
  • How is the integrity of the user's conversation protected?
  • If the platform (such as Google's Android) provides a way to update the code, why isn't it being used?

The Gartner report notes that just because this happened in a ZTE phone doesn't necessarily mean that the company had a nefarious motive. Indeed, the back door could have been “developed and installed by a disgruntled or rogue employee, assuming he or she circumvented source-code control and deployment management systems.”

Or maybe it didn't come from ZTE at all. The Economist reported recently that when an American telecommunications company investigated a Chinese company acquired by one of the American company's vendors, it found the Chinese company to be clean. However, it turned out that the Chinese company was outsourcing software development to a firm that turned out to be a front for Russian intelligence.

That's a perfect example of the why today's convoluted IT supply chain is increasingly insecure. The Gartner report says software supply chains can be easy targets because of:

  • Increased use of outsourced software development. Even if a company uses its own developers, many use third-party libraries and frameworks that include open-source software, which can be vulnerable.
  • Increasingly active code at many layers. The use of software-based platforms atop operating systems provides new opportunities to insert back doors and vulnerabilities.
  • Content itself can be used to attack. Exploits against hidden application-layer vulnerabilities can change an innocent piece of code into an attack vector.

Are you doing what you should to ensure the integrity of your software supply chain?

15 comments on “Software Supply Chain’s Soft Underbelly

  1. t.alex
    March 26, 2013

    With smartphones running more and more complex software and applications, our devices are definitely vulnerable to attacks. An outsourcing company may do it smartly by installing the trojan inside the software but it wouldn't be active till the phone reaches end customers. Millions lines of codes coming from hundreds of vendors  make it difficult to scan for malicous code as well. 

  2. itguyphil
    March 26, 2013

    Even if it was 1 vendor's code base, malware variants are being created each & every day. It will always be difficult to curb attacks because technology is dependent on humans' thought process.

  3. mfbertozzi
    March 27, 2013

    I agree and I would like to mention here other sources of potential malware such as millions of apps available for each one of us while we are surfing through Internet and some features could appear fascinating.

  4. mfbertozzi
    March 27, 2013

    Good point Pocharle; it has been discovered for instance some apps from socials are not a malware, in principle, but access to personal data stored inside the smartphone and process or send those data to others, it is a sort of spy inside; this is not in line with international rules on individual privacy.

  5. itguyphil
    March 28, 2013

    I mean, it's easy to download malware by drive-by attacks. You can visit a popular website and all it takes is a malicious popup (unsolicited) that will cause junk to be stored/saved on your device.

  6. mfbertozzi
    March 29, 2013

    That's right, definetely, to whom has not happened?

  7. itguyphil
    March 29, 2013

    Well that's the tough part. Most of the people that this has happened to, they don't know it.

  8. mfbertozzi
    March 30, 2013

    Good point pocharle, it is not easy to know and to be aware of what apps installed are going process and what kind of output will be sent nobody knows where…

  9. itguyphil
    March 31, 2013

    Yes sir. There are apps out there that let you monitor processes and their outbound connections but there's so much going on that it's difficut to tell what's needed and not.

  10. mfbertozzi
    April 2, 2013

    @pocharle: other point I don't really like is the behaviour of some apps; while I am trying to install them, a message appears saying ” we need to access to your addressbook, agenda, cookies, images ” ….why? I am installing a basic app for allowing some simple features as a screensaver and do they need to read my addressbook???

  11. itguyphil
    April 17, 2013

    Convenience. They must be using the data for something, that's why they warn you.

  12. mfbertozzi
    April 18, 2013

    I could agree on data's portion for running, but some doubts on the need to access personal contacts still remain…

  13. itguyphil
    April 20, 2013

    It's probably to enable you to invite your contacts to use the app… with your permission of course. But they have to build that funcitonality in early in the process.

  14. mfbertozzi
    April 21, 2013

    Yes, it is a possibility; maybe in the near future, considering the process in progress that is involging BigG and main Authorities on privacy, we could assist to possible evolution on the matter.

  15. itguyphil
    April 23, 2013

    They're not the only one's doing it. Especially with the spread of Facebook integration into a lot of apps and websites, sharing information is needed.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.