One of the top honchos in Homeland Security admitted to Congress something everyone who has ever done time in IT support knows: Gadgets other employees bring in from home are trouble.
Some come with a lot of empty space that could be filled up with valuable company information, for those who are into corporate espionage.
Others – mainly for those who are almost as computer savvy as they think they are – install drivers that can corrupt a workstation so completely it will eventually either go Sith or have to be buried at a crossroads with a stake through its heart. (Which it is depends on if the user is more Geek or more Goth.)
Viruses, trojan horses and other malware can also filter in, if IT didn't prepare for Bring Your Own Computer by adding dynamic scanning and policies that bar new devices from connecting to the network unless they've been scanned or approved.
The problem is a lot worse than that, though. Those things are just troublesome.
Some devices manufactured overseas and shipped here contain well concealed bits of malware designed not for mischief, but for espionage, according to testimony given recently to a House security subcommittee by Greg Schaffer, acting deputy undersecretary of the DHS National Protection and Programs Directorate (the length of whose title has, all by itself, caused productivity to decline in his division among government workers who have to type or say it).
The number of electronic devices and components built overseas – often by companies in countries none-too-favorably inclined toward the U.S. – means potential enemies have unrestricted access to smart devices that are hand carried through even tight IT security barriers by users who have no idea they're carrying sophisticated agents intent on espionage.
It apparently doesn't happen that often, but it does happen, according to testimony buried in the White House's Cyberspace Policy Review.
Some of the purposely infected devices were counterfeits slipped into the supply chain without the manufacturer's knowledge; others were "unambiguous, deliberate subversions" of legitimate products embedded with malware designed for espionage.
"The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities," the report read.
Schaffer gave no real details, but did say the DHS had found more specific examples during investigations during the past few months than it had at the time the Cyberspace Policy Review was published earlier this year.
DHS is still looking for new sources and new examples, but the supply chain for U.S.-based electronic manufacturers is so broad it would take a major effort to create security checkpoints that could catch some of the malware, or look for and close security holes opened by malware carried past existing security.
A report from the Internet Security Alliance warns that malicious firmware could contain logic bombs that could lie dormant in a weapons system(PDF) it would shut down if the system ever went to war.
More general-purpose bits of nasty could hide just as long in components for laptops, music players, smartphones or other devices.
"Once malicious firmware has been inserted into electronic components, it can be almost impossible to detect. Because it is in the hardware, the malware will remain in place even when
all the software has been upgraded or replaced. The circuits in which the malware would be hidden are microscopically small and enormously complex. What’s more, like malicious software, it is possible to look directly at malicious firmware and not see anything wrong with it.
Cleverly written malware will perform the kinds of operations that the system is routinely supposed to perform. It will just perform those operations at exactly the wrong time.To prevent malicious firmware getting into government, military, and critical infrastructure systems, a number of government officials have proposed severe counter-measures.
These counter-measures would require the design, fabrication, assembly, and distribution of the electronic components destined for government systems to be carried out domestically, in strictly
controlled facilities, under constant and close supervision, by carefully vetted personnel, and with numerous verification procedures. The idea would be to institute these counter-measures by
government mandates and as provisions in government contracts."
The upshot of all those potential solutions? Nothing.
The economics of chasing down malicious firmware that and number of devices that might contain it is such that there's no realistic chance of fixing the problem, the report concluded.
Only a very few bad actors (other countries in this case) would have the will and resources to try to pull this off, and a strain malicious firmware would probably only work once because the victims would expunge it, the report said.
Unfortunately, even if the number of bad actors is trivial compared to the number of, say, anonymous hacking groups, those players play for very high stakes.
Logic bombs may only work once, but that's also the case for real bombs. No one complains about their lack of repeatability.
If, as stories are true that say China, North Korea, Iran and others are building up serious cyberwar capabilities that will let them attack our infrastructure, not just our social networks, malicious firmware would provide either a great entry point for remote-control software, or a good way to add to the destruction of a big cyberattack.
It's hard to tell if this is a realistic and growing threat that government and corporate agencies should worry about, or whether it's one of those late-night worries about risks with catastrophic consequences but no real chance of happening – like being struck by a meteor while walking to work.
It is one more thing to worry about, though, and one more reason to make sure you have internal security systems designed to detect malicious activity – not just malware signatures – so they can identify and shut down attacks whose source you can not yet identify.
Mostly those attacks will come from malware carried in the normal ways – email, USB drives, malicious web sites.
It's just a little disturbing to hear that even if you build a rock-solid defense against malware entering from all those other points, an RFID chip or print-toner-monitoring component could seed your network with malware that gives someone else a porthole through which to watch you work.