Who put the cockroach in my supply chain?

Enough about your supply chain. How secure is the supply chain of your technology providers?

Businesses have always had concerns about supply chain risks but, for most businesses, those risks involve shipping delays, parts shortages and labor issues. But that’s starting to change as evidenced by CSOonline’s recent coverage on the discovery of malicious apps on new Android devices.

In case you missed it, the story in question examined how a malicious app, disguised to look like a Netflix app, was found pre-installed on Android-based devices from four different manufacturers. Somehow, somewhere along the supply chain, those devices had the malicious app installed. The immediate questions for manufacturers are ‘when’, ‘where’ and ‘how’? I think you can guess at the ‘why’. Despite their silence on the issue I know they are taking it very seriously. They see the risk that this poses to their market. For the owner of the real app, in this case Netflix, it can pose a serious public relations challenge (let’s not forget they’re one of the victims here). But what about the buyers?

I’d wager to guess that the vast majority of individuals purchasing mobile devices have no clue as to how to examine their pre-installed apps to see if they are original or malicious knock-offs. How would you even begin to address this outside of utilizing the tools and expertise that some, not all, enterprises possess? Frankly, this is the least of my concerns.

If the supply chain has been compromised, can buyers be sure that the shiny new device they just pulled out of the box doesn’t have a compromised operating system, or event more troubling, compromised embedded software? I see the trust model beginning to erode.

Is this issue just another one to worry about? Sure, we can add it to the long list of risks that need to be considered, but this may also prove to be a game-changer. We’ve always worried about what gets added after a device is purchased, focusing on that as the primary vector to defend. But what happens when we can’t trust that we’re acquiring pristine devices from our suppliers in the first place?

Yes I hear the chatter already, “what about operating systems? Those have always been rife with vulnerabilities.” But we’ve grown to expect those flaws and to mitigate them through patch management perimeter control solutions.  Your business should be looking at solutions you can employ to address this new risk as well as examine where else, in your own supply chain, you might be vulnerable to product tampering. Please share your ideas with us and look out for those cockroaches.

Copyright © 2014 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022