Pwned at the factory: attackers think outside the box

We all know that feeling of unboxing a cherished new tech toy. It’s such a part of tech culture now that people post online videos dedicated to carefully prising open the packaging, fondling the product, and turning it on with a hushed sense of awe. But as it turns out, your shiny new product may not be entirely unsullied; someone might have already infected it with malware.

Checkpoint analysed Android devices owned by two large companies, and found malware infections in 36 of them. Moreover, the users hadn’t downloaded them; they arrived with the devices, meaning that they were installed somewhere along the supply chain.

The malware in the phones ranged from adware that displayed illegitimate commercials, through to information stealers. There was even a mobile ransomware instance lurking on some of the phones. In this case, attackers installed malware on device ROMs using system privileges, meaning that the user couldn’t get rid of it.

What’s in the box?

The fact that someone installed this malware on the phones before users got the devices raises concerns about the security of the supply chain. A device goes through multiple stages at the factory before shipping to logistics companies that may hand it off to yet more logistics firms multiple times. Eventually, it will hit the local sales channel, where again there are many opportunities for malicious actors to get their sticky hands on it.

This isn’t the first time that an Android phone has shipped with something nasty under the hood. In 2014, phones from Chinese manufacturer Star were infected by spyware integrated directly into the firmware, that sent personal data back to Chinese servers and also allowed controllers to install additional applications. In December 2016, Dr Web discovered trojan software in the firmware of 26 Android devices.

There have been cases of supply chain compromise in other devices, too, with malware turning up in something as innocuous as a digital picture frame. In 2011, Microsoft researchers bought a Windows laptop from a computer reseller in Shenzen which had been “carelessly or intentionally infected” with the botnet malware Nitol.A.

Sometimes, vendors willingly install software at the factory in the mistaken belief that customers will be okay with it. Lenovo installed Superfish, an adware product that also served up man in the middle certificates. Some antivirus software even detected the software as a virus.

Perhaps the most insidious supply chain compromise yet, though, is the one carried out by the US government itself. Glenn Greenwald’s book No Place To Hide revealed how the NSA systematically intercepts the delivery of computer network devices and redirect them to a secret Tailored Access Operations location. There, its operatives install “beacon implants” before repackaging them and sending them on their way. This then gives the organization direct access to “hard target” networks around the world.

Such was the outrage about the NSA’s campaign over at Cisco that it began shipping boxes to vacant addresses for its more sensitive customers, making it more difficult for government spooks to identify shipments destined for interesting targets.

The problem with the digital supply chain is that it has many moving parts, including not only the various vendors that make the hardware, software and firmware in the final box, but also the people that create the standards they’re based on.

For example, when Juniper discovered that someone had tampered with its source code and produced a backdoor, it turned out that the attackers had exploited weaknesses in the Dual_EC encryption method – weaknesses that some have said were intentionally left there during the standardisation process. This is part of a broader NSA project – Bullrun – that was revealed in the Snowden files.

What to do?

What can people do about compromises that happen even before they receive their device? In an ideal world, you’d audit everyone in the supply chain to see how well their cybersecurity practices stood up, but in a world where you often don’t get to see who’s involved three or four hops along that chain, it’s simply too resource-intensive an idea for one customer to pursue.

There are all kinds of best practices to help minimise the risk of compromise. Only buy from top-name vendors. Check to see what encryption standard the vendor is using and see if there’s a known weakness. Use multiple encryption technologies anyway, rather than relying on the manufacturer’s chosen one. Segment assets that hold data from each other, so that if one device or network segment is compromised, companies can’t move laterally through the organization.

Another more controversial measure might be to look at the product’s own technology ecosystem and conduct a risk analysis. Android phones are the ones getting pwned at the factory because it’s an open source operating system and manufacturers have a great deal of latitude in terms of how they configure it.

These are all worthwhile measures that can help protect you against a variety of attacks, but ultimately, none of them can guarantee you a clean device. We have economics to thank for that. One characteristic of an economy with cheap transportation is the fragmentation of the production process, and the introduction of many different players, often half a world away. You’ll never meet, but every once in a while, someone in that supply chain might decide to send you a little something extra, hidden away in a binary somewhere.