DARPA concerned over supply chain malware threat

US government agency Darpa has raised concerns over malicious software entering the supply chain of IT equipment procured by government departments.

IT equipment is made up of components produced in a wide range of countries, so there are potential security risks for hardware that is connected to secure or sensitive networks. This could mean a large amount of compromised mobile phones, network routers or PC workstations –  allowing for data extraction, or even the sabotage of critical operations.

There are many difficulties in adequately protecting against such attacks, with the large volume of commercially procured equipment making spotting security problems a tough job.

DARPA said that the ability to do this on a large scale for the Department of Defense is hampered by the time constraints of checking so many devices.  Developing a method to enable non-specialist technicians to determine that a device is one potential way to reduce risk, but it is by no means easy.

DARPA has proposed a Vetting Commodity IT Software and Firmware programme to look at ways to mitigate the risks posed by backdoors, malware and other vulnerabilities.   

Tim Fraser, DARPA program manager, said that the problems facing government departments is bigger than ever.

“DoD relies on millions of devices to bring network access and functionality to its users,” Fraser said. “Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread.” 

The goal of a vetting programme will be to develop a set of techniques, tools and demonstrations to help make some of these aims more achievable.

Malicious software entering supply chains is an increasing problem. In September, Microsoft claimed that its own investigations had uncovered that hardware sold directly to consumers was, in some cases, pre-loaded with malware. Though Microsoft was able to disrupt some of the attempts to infect computers in this fashion, it highlighted the ease with which supposedly secure supply chains can be compromised.  

David Emm, Senior Security Researcher at Kaspersky Labs, told TechEye that there are many ways malicious software can be hidden on hardware.

“Concern about the dangers of malicious software entering the supply chain of IT equipment is clearly growing, with network devices such as routers, access points and DSL modems providing a perfect hiding place for malware,” Emm said. 

“A recent example of this is a Brazilian attack that focused on just a single firmware vulnerability,” he said. “The Brazilian government confirmed that an estimated 4.5 million modems were compromised in the attack and were being used for different kinds of fraudulent activity.”

With IT equipment spending continuing to rise throughout most of the world there are increasing opportunities for those intent on spying or sabotaging systems to wreak havoc.

“The increasing dependence of individuals and organisations on devices of this sort is likely to mean that they attract more attention in the future,” Emm continued.  

“Unfortunately, while the risks from malicious software are becoming widely known, device security is often overlooked,” he said.