Vulnerable firmware could destabilize Internet-enabled technologies
Kill switches and backdoors inserted at the point of manufacture could act as a conduit for organized criminals or foreign states to access internet-enabled devices, according to Invictis.
Specific vulnerabilities that are usually very hard to detect have been discovered in components used in some US systems, providing the first solid evidence that weak firmware exists in the US-China supply chain.
The theoretical threat, now a reality, is that flaws embedded in a device at the point of manufacture could be used to disable or extract data from it or to use the device as a launch point for an attack across the network to which it is attached.
Consequently, it is now a real possibility that malware could be written to exploit the weaknesses hard-coded into components to carry out sophisticated targeted commercially or politically motivated attacks.
The warning follows revelations last week by the Homeland Security Department National Protection and Programs Directorate that instances of embedded flaws had occurred in US infrastructure.
In response to a line of questioning on whether imported devices posed a security or intellectual property risk, Greg Schaffer, Homeland Security’s Assistant Secretary of the Office of Cybersecurity and Communications, said “I am aware that there have been instances where that has happened.” His admission could mean that a wide range of electronic devices, from Internet-enabled TV’s to industrial control systems, are carrying embedded kill switches or backdoors.
A wealth of information is available to the manufacturer at the point of assembly, including the MAC address of the network interface card or the IMEI number of a mobile handset or smartphone.
With details of the component, the vulnerability, the unique identifier and the shipping destination, an organization would have all the information necessary to carry out a successful attack and gain access to the hard drive or flash storage, as well as location-specific information on GPS-enabled devices, completely undetected.
Security flaws embedded at the point of manufacture could take sophisticated attacks to the next level, providing new techniques with which to target prominent individuals or organizations in order to obtain sensitive information or intellectual property. The flaws could also be key to future cyber-weapons that disable specific systems either temporarily or permanently.