“Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software intercepts users’web traffic to provide targeted advertisements. In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application –a classic man-in-the-middle attack. Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with. Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed. This means websites, such as banking and email, can be spoofed without a warning from the browser.”
Installing third-party software to intercept encrypted communications is obviously a bad idea. Installing the same CA certificate on every system and including the corresponding private keys is foolish. While Lenovo likely did not intended to introduce this serious vulnerability, their actions highlight how easily a manufacturer can circumvent critical security controls.
In February, Kaspersky Labs released research into the Equation cyberespionage group. Notably, the group has developed the ability to reprogram the hard drive firmware of over a dozen different hard drive brands, including Seagate, Western Digital, Toshiba, Maxtor and IBM. This gives them the capability to hide data on the drive and re-introduce malware into the operating system even if is wiped and re-installed.
Developing this capability was no simple task. As Serge Malenkovich wrote on Kaspersky’s blog:
“A hacker must obtain the hard drive vendor’s internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions. This is very high profile engineering which requires months of development and millions in investment.”
While there is no evidence that this capability has been used within the supply chain, it clearly demonstrates what can be done by intercepting a target’s PC or even a replacement hard drive. In May 2014, Ars Technica and others reported on leaked documents depicting NSA employees intercepting network devices and installing“beacon implants.” As Glenn Greenwald wrote, “for years, the US government loudly warned the world that Chinese routers and other internet devices pose a ‘threat’ because they are built with backdoor surveillance functionality that gives the Chinese government the ability to spy on anyone using them. Yet what the NSA’s documents show is that Americans have been engaged in precisely the activity that the US accused the Chinese of doing.”
It is highly likely that other governments and criminal organizations are using similar tactics to compromise equipment before it is delivered to their targets. Addressing this issue is critical. As Cisco CEO John Chambers wrote to US President Obama:
“While the reports included a photograph purportedly showing a Cisco product being modified, this issue affects an entire industry that depends on a global supply chain and global shipments. We ship our products from locations inside, as well as outside the United States, and if these allegations are true, these actions will undermine confidence in our industry and in the ability of technology companies to deliver products globally.”
Protecting the supply chain is difficult. Not only must corporations carefully consider the vendors from whom they purchase products, but also the details of how they are shipped and through which countries they transit.
Detecting implants designed into hardware is exceptionally difficult. Fortunately, third-parties who intercept equipment are most likely to install modified firmware or software. The best defence at this time is to re-load firmware and software wherever possible before using new computers, networking gear, hard drives, and other components.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…