Securing Tech Product Supply Chain Is No Easy Task

A supplier of body cams to police agencies is embarrassed when a computer virus is discovered in its products, highlighting the challenges of keeping malware out of software embedded in electronic devices.

Supply Chain Malware 2

Malware and spyware are worries for anyone browsing the less-traveled Internet or wondering whether they should open an attachment from an unknown sender. Yet occasionally, the unwanted programs attempt to hitch a ride on other devices.

Florida-based network integrator iPower Technologies found one such device. The company, which is creating a video storage system for police departments, connected several manufacturers' body cameras to its computers.

Devices from one supplier, Martel Electronics, set off its antivirus systems, iPower said in mid-November. The antivirus scanner flagged Conficker. The 7year-old computer virus had apparently infected multiple cameras from the manufacturer.

Conficker can be difficult to eradicate, as evidenced by its longevity seven years after the first variant started spreading. If an unprotected system had connected to the Martel device, it would likely have been infected, stated iPower, which worried that the computer systems of Martel's customers—mainly police departments—may have been infected.

"As the Internet of Things continues to grow into every device we use in our businesses and home lives each day, it becomes even more important that manufactures have stringent security protocols," Jarrett Pavao, president of iPower, said in a statement. "If products are being produced in offshore locations, what responsibilities lie with the manufacturer to guarantee our safety?"

Martel did not return requests for comment, yet what appears to have been an accidental infection of a personal electronic device is less of a concern than the trend among intelligence agencies and criminal groups of implanting malware on devices.

Documents leaked by former National Security Agency contractor Edward Snowden detailed efforts by the U.S. intelligence agency to intercept shipments of hardware, implanting them with surveillance programs and then re-shipping them to their destination.

In another attack, a supplier of barcode scanners in China shipped devices to at least eight companies with advanced malware embedded in the products. The attack, detailed by security firm TrapX, appears to be part of China's government-sponsored industrial espionage operations.

Whether purposeful attacks or unintended infections, such incidents underscore that suppliers and manufacturers need to do more to guard their customers from cyber-attacks.

"Clearly, the manufacturers are not doing enough to secure their products," Carl Wright, general manager of TrapX, told eWEEK. "Attackers do not have to do much work to get on those devices."

Wright and other security experts are recommending that businesses take a number of steps to try to prevent new computer and electronic equipment from arriving at their doors infected with malware.

Take suppliers to task

The first step for companies is to require that their suppliers follow the same security standards and policies that they do, Wright said. While such efforts can be time consuming, educating suppliers on their customers ' product security expectations is a good start.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...