Pre-infected hardware and software ships to the US

The US Department of Homeland Security has warned that hardware is being shipped from foreign parts with malware and spyware pre-installed.

While many think that this would have the advantage of cutting out the middle man, Greg Schaffer, the Department of Homeland Security’s acting deputy undersecretary for national protection and programs, said that the problem is getting worse.

Schaffer was talking to the House Oversight and Government Reform Committee. It’s thinking about an Obama-backed proposal to tighten monitoring on computer equipment imported for critical government and communications infrastructure.

Schaffer didn’t mention if he was talking about end-user consumer tech like retail laptops, DVDs and media players, or the serious business computers leant on by government departments.

However, it is the first time that the United States has publicly confirmed that foreign consumer technology is arriving in the country already loaded with nasty bugs like key-logging software, botnet components and even software designed to defeat security programs installed on the same machine.

He was asked by Jason Chaffetz, who was worried that using software and hardware built overseas ran the risk that items could be embedded in them already.

Schaffer tried to get a bit woolly and said  the issue was important to Barack Obama. Chaffetz cut him off and restated the question, to ask him if he was aware of “any component software or hardware coming to the United States of America that already have security risks embedded into those components”.

Schaffer paused before saying he was aware that there have been instances where that has happened.

To be fair to Schaffer, there have been cases were software was infected by malware at the plant before it shipped. However this had little to do with an attempt to spy on the computers. More often it is just that the disk image gets infected by mistake.

If hardware is being tinkered with, that would be another matter. So far there have been no public cases of this happening.

The exchange is on YouTube.