Malware and spyware are worries for anyone browsing the less-traveled Internet or wondering whether they should open an attachment from an unknown sender. Yet occasionally, the unwanted programs attempt to hitch a ride on other devices.
Florida-based network integrator iPower Technologies found one such device. The company, which is creating a video storage system for police departments, connected several manufacturers’ body cameras to its computers.
Devices from one supplier, Martel Electronics, set off its antivirus systems, iPower said in mid-November. The antivirus scanner flagged Conficker. The 7year-old computer virus had apparently infected multiple cameras from the manufacturer.
Conficker can be difficult to eradicate, as evidenced by its longevity seven years after the first variant started spreading. If an unprotected system had connected to the Martel device, it would likely have been infected, stated iPower, which worried that the computer systems of Martel’s customers—mainly police departments—may have been infected.
“As the Internet of Things continues to grow into every device we use in our businesses and home lives each day, it becomes even more important that manufactures have stringent security protocols,” Jarrett Pavao, president of iPower, said in a statement. “If products are being produced in offshore locations, what responsibilities lie with the manufacturer to guarantee our safety?”
Martel did not return requests for comment, yet what appears to have been an accidental infection of a personal electronic device is less of a concern than the trend among intelligence agencies and criminal groups of implanting malware on devices.
Documents leaked by former National Security Agency contractor Edward Snowden detailed efforts by the U.S. intelligence agency to intercept shipments of hardware, implanting them with surveillance programs and then re-shipping them to their destination.
In another attack, a supplier of barcode scanners in China shipped devices to at least eight companies with advanced malware embedded in the products. The attack, detailed by security firm TrapX, appears to be part of China’s government-sponsored industrial espionage operations.
Whether purposeful attacks or unintended infections, such incidents underscore that suppliers and manufacturers need to do more to guard their customers from cyber-attacks.
“Clearly, the manufacturers are not doing enough to secure their products,” Carl Wright, general manager of TrapX, told eWEEK. “Attackers do not have to do much work to get on those devices.”
Wright and other security experts are recommending that businesses take a number of steps to try to prevent new computer and electronic equipment from arriving at their doors infected with malware.
Take suppliers to task
The first step for companies is to require that their suppliers follow the same security standards and policies that they do, Wright said. While such efforts can be time consuming, educating suppliers on their customers ‘ product security expectations is a good start.
Securing Tech Product Supply Chain Is No Easy Task
Once informed, most manufacturers will make a good faith effort to comply with major clients’ requirements.
Moreover, suppliers need to understand that security is a required feature of any connected product. While bringing a product to market quickly and with the right features is obviously necessary for success, securing the product and the customer’s data are increasingly critical components of any development effort, he said.
“The onus is clearly on the manufacturer to put the controls in place to secure the products that they are going to bring to market,” Wright said.
Build a security process
Getting security right is not easy, but with so much relying on information technology these days, the suppliers of software and technology need to put greater effort into hardening their devices, Eric Baize, senior director of product security and trusted engineering for EMC Corp. told eWEEK.
Baize, who chairs the board of the Software Assurance Forum for Excellence in Code (SAFECode), argued that it is time to stop complaining about how tough the task of securing software and devices is, and instead put in the work to lock down the tidal wave of new products.
“A developer needs to do the right thing,” he says. “If it is difficult, it is likely because you don’t have a software engineering process in place.”
Manufacturers do not have to take the task on alone, however. Projects—such as SafeCODE’s Principles for Software Assurance Assessment and other efforts, such as the Building Security in Maturity Model (BSIMM) — aim to give companies blueprints for how to ensure that security is built into a business and its products. For many suppliers, this will be new territory, James Lyne, global head of security research at antivirus firm Sophos, told eWEEK.
“There is a whole industry there that has not suffered like Apple and Microsoft have for the last 20 years, and so have not learned these lessons,” he said.
Start with training
Once companies create a process for improving their product security—or as a consumer, checking the security of your suppliers’ products—training, and retraining can help instill the security ethic into the developers’ way of working, said SAFECode’s Baize.
“To solve software security problems we are facing across the board, we need developers to be trained on software security,” he said.
In the end, however, doing everything right is still no guarantee that cyber-criminals won’t find a way to compromise software or to exploit a hardware system, Baize said.
“Sometimes software security is like guessing someone life’s expectancy,” he said. “It is very difficult and challenging, and it is based on a very holistic process—even if you do everything right, there will always be a chance that someone can exploit a vulnerability in the software.”