Updated 10:30 p.m. PDT with comment from ESET.
SAN FRANCISCO--Computer equipment is arriving on stores shelves in the U.S. with viruses and other malicious software, but industry insiders said at the RSA conference on Tuesday that they don't know whether it's the result of intentional manipulation or just poor manufacturing processes overseas.
In 2007 and last year, digital photo frames sold around Christmas time were found to be infected with malware, and in previous years GPS devices, hard drives, laptops from Toshiba, iPods, and USB keys that accompany Hewlett-Packard servers were found to have similar problems, said Marcus Sachs, executive director of national security policy at Verizon Business.
The Defense Department temporarily banned the use of thumb drives last year after USB memory sticks still in their packaging were found pre-infected with malware and in recent weeks there have been reports of ATMs that were modified before shipping to include a backdoor, he said.
"Can we guarantee that what's being built off shore when it comes to our country is exactly what we think it is?" he asked. "Today, if the conflict is going to be in cyberspace, our weapons are being built by our potential enemies."
The U.S. government has poisoned products used by enemies, he said. In the 1980s, the CIA fed software to Russia that had a logic bomb in it to sabotage the trans-Siberian pipeline, Sachs said.
"That shows that our own government in the United States is willing to do this," he said. "We have done this. We have poisoned the supply chain for critical infrastructures in other countries."
He asked a panel of industry leaders and government officials whether they thought such problems were the work of nation states purposely targeting the United States or whether it's merely a problem with "dirty manufacturing processes," like those that have led to recalls of all sorts of products that were manufactured in China.
No one had an answer. In fact, panelists said they were more focused on preventing software piracy.
"It's a fairly new world for our company and frankly other companies to deal with. We've cared about supply chain from an intellectual property perspective," said Tiffany Jones, director of government relations for the Americas at Symantec.
"I personally believe that much of what we see are...violations of norm of intellectual property which is in the counterfeit space," said Mitchell Komaroff, director of the Defense Department's globalization task force.
Later, he acknowledged the threat, saying: "The development products are already tainted with viruses...all of these are things a sophisticated adversary can take advantage of."
In an interview late on Tuesday with CNET News, James "Randy" Abrams, director of technical education and anti-virus firm ESET, said he suspected that most of the new product infections are accidental and due to situations like quality assurance test machines being connected to the Internet and getting infected. In the iPod case, he said his understanding was that the only iPods that appeared to have been infected were the ones that had been quality tested.
"My best guess is 99 percent of the time it is not espionage," said Abrams, who worked at Microsoft for years making sure the software the company shipped out was infection free.
The problem is likely due to "people with traditional manufacturing backgrounds who do not understand the implications of software and that your quality-assurance machine can't be connected to the Internet," he said. "There's a generation of manufacturing supervisors and employees that doesn't understand the digital age."
In 2007, U.S. officials recalled melamine-laced pet food that caused the deaths of cats and dogs and lead-coated toys that endangered toddlers. Now, digital photo frames infected with computer viruses are the latest problem import from China.
"That phenomenon apparently has bled over to the digital side as well," Marcus Sachs, director of the Internet Storm Center at the SANS Institute (SysAdmin, Audit, Network, Security), said of the Chinese manufacturing problems that get exported. "Essentially, it's a supply chain problem. We've become dependent on a cheap source coming out of Asia."
The culprit is believed to be poor quality-assurance testing procedures in which one of every 1,000 or so devices is plucked off an assembly line and tested on a computer that is infected with a virus, he said.
Before Christmas, Samsung and Amazon issued alerts warning customers that some Photo Frame Driver CDs for Samsung's SPF line of digital photo frames contained a virus in the frame manager software. Customer PCs running Windows XP are at risk of being infected by the virus, W32.Sality.AE, which drops a keylogger or backdoor onto the system.
Element and Mercury brand frames sold at Circuit City and Wal-Mart, respectively, also were reported to be infected, according to the San Francisco Chronicle.
Sales of digital photo frame are increasing and Chinese suppliers produced more than 8 million in 2007, according to MarketResearch.com. Their plug-and-play use and the fact that they serve as a digital replacement for paper albums make electronic picture frames popular holiday gifts.
A year ago, Insignia digital picture frames were pulled from shelves and online sites after Best Buy learned they could be carrying a virus. Also reported to be infected then were digital frames from Advanced Design System, Digital Spectrum, and Castleton. But digital frames aren't the only electronic items found to carry a hidden payload. Other malware-infected devices have included MP3-playing sunglasses, a flip video camera, and Maxtor external hard drives, according to the SANS Internet Storm Center.
"Anything that has flash storage or bootable storage is exposed to this kind of threat," said Dave Marcus, director of security research for McAfee Avert Labs. "It doesn't mean you shouldn't buy them. You should just realize before you plug it in that you might want to disable the Windows auto-boot functionality and run an antivirus scan on it, just to be safe."
For instance, the ubiquity and convenience of USB thumb drives make them a growing propagation vector. A virus outbreak on a U.S. Department of Defense network prompted officials to temporarily ban the use USB drives, CDs and removable storage devices in November.
Attrition.org offers a long and growing list of malware-infected products that have hit store shelves.
(Credit: Attrition.org)Security Web site Attrition.org maintains a list of products shipped to customers that were found to be infected with viruses and other malicious or odd programs. The list, which goes back to 1990, includes a credit card terminal that contained a bug to steal credit card information, MP3 players, USB drives, and other hard drives with computer worms, and a Cisco VPN Client CD that had MP3s of Mexican drug-runner folk music known as "Narcocorridos," all in 2008. Then there are the infamous Video iPods that shipped in 2006 with a Windows virus. (And just last April, a colleague bought a re-conditioned iPod Nano that arrived with a virus.)
"This list is not complete, yet it should make you realize that nothing is safe," the Attrition.org site says in a cynical warning. "Every piece of electronics you buy and every piece of software you install may come with malware pre-installed. Rather than manufacturers introducing a higher set of quality controls to prevent such incidents, we will no doubt see companies produce new products that will help keep you 'safe' from such threats. These 'controls' would no-doubt be another band-aid on top of band-aids that make up a lucrative market, which is sad commentary about how customers perceive and receive 'electronic security.'"
The problem is getting serious enough to merit congressional hearings on how to protect consumers against getting harmed from the electronic products they buy, said Sachs of the SANS Internet storm.
Right now the best protection against being infected by viruses in new devices is to keep antivirus software up to date, and disable Windows' AutoRun features and instead manually launch programs and installers when devices are inserted. The CERT security research organization has more information on the risks associated with AutoRun on its Web site.
- prev
- 1
- next
