Vendors deliver compromised products

Users should be aware of potential threats created by devices that are already compromised or tampered coming off the shelves.

The Trend Micro 2010 Future Threat Report talks about incidents with media players and digital frames shipped with malware that have already been reported in previous years.

USB devices, while offering the convenience of quick connectivity, are responsible for the spread of autorun malware within networks. The Conficker worm creators added a propagation capability that uses removable drives to increase spread. With the added user perception that newly purchased digital devices and accompanying installers and drivers are “clean,” cybercriminals are sure to find ways to step in anywhere between the manufacture of the product to its first use.

A similar risk is application compromise where a “known good” software has an embedded malware component. The user purchases and installs the software, and it does exactly what it is supposed to do, but it has a hidden purpose as well. The malware component is installed by engineers that have been either paid or coerced while in the employ of the company developing the software.

The risk of tainted products extends to hardware. For instance, some credit card dataphone devices used in several retail outlets have been identified as having compromised hardware.