DHS: Imported Tech Tainted with Backdoor Attack Tools

DHS admitted that backdoor malware comes embedded in brand-new imported electronics. Yet that security threat has been real for years; a Defense Science Board warned about a tainted supply chain for tech devices and components back in 2005.

When a Homeland Security official admitted to the threat of destructive coding being embedded in imported software and hardware, it caused quite a stir. Yet backdoor malware is no more a secret than the fact that nation states and rogue criminals target the U.S. "by hacking into proprietary data and other sensitive information."

During testimony before the House Oversight and Government Reform Committee, Rep. Jason Chaffetz, R-Utah, questioned a top DHS official about software and hardware that is built overseas, is shipped into the U.S. and comes embedded with spyware or other code meant for sabotage. Chaffetz asked Greg Schaffer, Homeland Security's Assistant Secretary of the Office of Cybersecurity and Communications, about imported devices that pose "security and intellectual property risks."

As you can see in the video below, Chaffetz continued to pushed for a direct answer about embedded malware in foreign components coming into the U.S. until, after a long pause, Schaffer said, "I am aware that there have been instances where that has happened."

Then Dr. Desjarlais has questions about cyberwar. But at 1:01:38 in the video, the topic turns back to the threat of imported devices with embedded security risks. Desjarlais asks, "Where are the most significant weaknesses in our IT supply chain?"

Schaffer said, "The supply chain issues are increasingly complex because we do have a global economy in which our product and equipment is installed and embedded in foreign product and foreign product is installed and embedded in our product and the need to have appropriate processes to address risk and manage ways of identifying where there might have been a compromise to the system is what we focus on in terms of problematics."

Nextgov reported that U.S.-China Economic and Security Review Commission report from January suggested that "kill switches could be installed in Pentagon systems to power down operations in response to remote commands. The potential for harm is enormous, extending from simple identity theft by criminal enterprises to disrupting networks and defense systems vital to national security." The commission said the "public discussion of the vulnerabilities of electronics components to malicious tampering has been largely theoretical."

While Rep Chaffetz was correct that few people are aware of hidden malware in consumer tech, embedded malware lurking in consumer tech is not a new development. Since it's been happening for years and is hardly a national security secret, it's unclear why Schaffer hesitated so long before answering. There have been many incidents of malware-infected products being shipped to consumers, from hardware, to software, and even tainted peripheral devices. Malware has been sent pre-loaded in products like USBs, microchips, cameras, battery chargers, digital photo frames, webcams, printers, cell phones, motherboards or system boards, and hard drives.

Adversaries' "dirty tricks" alarmed a Defense Science Board [PDF] way back in 2005 when it warned the government against the risk of "trojan horse" circuits threatening the "security and integrity of classified and sensitive circuit design information." It mentioned China by name and advised we needed "aggressive national antitamper development" as "trust cannot be added to integrated circuits after fabrication; electrical testing and reverse engineering cannot be relied upon to detect undesired alterations in military integrated circuits."

A 2010 Embedded Malware whitepaper [PDF] by KUITY, an advanced analytics company, stated that a "portion of hardware and software are contaminated with malicious computer code" which has been "designed to alter the functionality of the application." Because "perpetrators of embedded malware have developed incredibly sophisticated attacks," the "treacherous embedded malware" has successfully "compromised and even outright stolen intellectual property, competitive information, new product development data, M&A plans, financial information, trade secrets, and even national security secrets."

KUITY added, "Unlike a virus, malware buried inside firmware often goes unchecked, or appears to be legitimate code. Detecting this hidden malware requires rigorous testing of each component, a costly and time-consuming process, particularly in large organizations with many hundreds or thousands of hardware and system configurations."

If the most cost-effective security answer is "building it in is much cheaper that bolting it on," then good deal as the U.S. certainly could use the additional jobs.

These talks were related to cybersecurity and accessing the nation's ability to address the growing cyber threat. There has been talk of the military using force after cyber attacks which would constitute an "act of war." NextGov reported the Pentagon is supposed to release a cyberspace operations strategy on July 14, but "contrary to some expectations, does not call for militarizing the domain." Instead, the strategy "gives us the impetus to engage with who we think are the perpetrators of the attack -- and holds them accountable. That doesn't have to be through military means," stated public policy think tank researcher John Sheldon.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline