Supply Chain Uncertainties Complicate Security

  /     /     /  
Publicated : 22/11/2024   Category : security


Supply Chain Uncertainties Complicate Security


Los Alamos National Laboratorys move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage



Supply-chain security has become a growing concern for national governments and large enterprises, but the degree to which compromised technology is a threat remains uncertain, especially since backdoors are hard to detect and, once found, deniable.
In November, the acting chief information officer of Los Alamos National Laboratory reported in a letter to the National Nuclear Security Administration that the labs technicians had removed two network switches made by a subsidiary of network giant Huawei Technologies, based in Hangzhou, China,
according to a Reuters report
published earlier this month. The letter came after the House Armed Service Committee requested information on supply-chain risks from the Department of Energy.
In ditching the Chinese hardware, LANL took a standard strategy to attempt to add greater security to the supply chain: Use only trusted suppliers. But the strategy does not guarantee that a compromised product will not make it into an organizations infrastructure.
If you pull a router off the shelf and you look at all the manufacturers involved in the creation of that product -- its like buying a computer that is totally from the U.S. -- its hard to do that, says Andrew Howard, a research scientist at the Georgia Tech Research Institutes cybertechnology lab.
The number of manufacturers involved in creating a hardware product tends to be unmanageably large. It is likewise difficult to track the number of developers who had a hand in creating a particular program, which often includes open-source components.
In addition, products that have been compromised somewhere in the supply chain are hard to detect because the hidden functionality in the devices is well-camouflaged. The most interesting products to modify is information technology that handles data of interest, especially routers and switches. In most cases, an attacker could add specific functions to the devices firmware, hiding it quite effectively and -- if done correctly -- masking it as an undiscovered vulnerability or debugging feature.
In May, for example, a security researcher
found
a backdoor in ZTEs Metro PCS Android package, which would have allowed any binary to be installed on the system. Whether the vulnerability was functionality left over from development or an intentional backdoor remains unanswered.
Determining the intent of such functionality is difficult, says Torsten George, vice president of marketing and products at integrated risk management vendor Agiliance. The distinction between a ... backdoor and a bug is often razor-thin, he says.
In a talk at the Black Hat Security Conference in July, security researcher Jonathan Brossard
demonstrated
nearly undetectable functions that could hide in the firmware and be nearly impossible to remove.
No company has the knowledge to detect those kind of attacks, he says. I have received a few emails since my Black Hat talks from people claiming to be infected at BIOS level. I have yet to see any convincing proof, though, but I do not exclude the possibility that such things are happening and will only be discovered after many years.
Despite those uncertainties, supply-chain security has become a major issue among governments. Last year, Chinese and American think-tanks, which frequently air issues as proxies for those nations governments, identified the supply-chain security problem as intractable and unlikely to be solved by diplomacy. In October, the House Select Committee on Intelligence
published a report
that recommended U.S. companies avoid Chinese networking hardware.
[Vulnerable technology supply chains have become a concern of security professionals and politicians alike, but a few steps could help minimize the possibility of attacks. See
Preventing Infrastructure From Becoming An Insider Attack
.]
Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE, a Chinese handset maker, or Huawei for equipment or services, the report stated. U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects.
Given that backdoors can look like inadvertent vulnerabilities and that subtle bugs in firmware are hard to detect, detecting potentially malicious devices takes a great deal of technical resources and money, says GTRIs Howard.
Companies should make sure they conduct audits of their suppliers and hold them to the same standards, he says. More risk-adverse organizations should create a trusted version of firmware and flash all new hardware with the software. Finally, the security team should monitor the devices for strange behavior, including occasionally pulling devices from the network and inspecting them as well as analyzing network traffic for any communications that appear uncharacteristic. Both tasks are time-consuming, expensive, and not sure to catch malicious behavior.
For that reason, the concerns have to be tempered by an assessment of the reasonable threats that an organization faces, GTRIs Howard says.
I view this as another risk that has to be mitigated, he says. I think this should be on a top-10 list, but risks one though nine might be more cost-effective.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Supply Chain Uncertainties Complicate Security