Infected Firmware Threatens UK

OXFORD, U.K. -- Government and communications networks could be infected with malicious firmware imported from far eastern markets such as China, according to independent security penetration consultancy, SecureTest. Unlike current malware, machine level hardware such as the chipsets used in routers and switches and other computer devices are rarely tested and may already have established back doors in communications systems across the country.

Routers and switches require machine level software (known as firmware) to run. It would not be difficult for an insider to install or write malware into the firmware of these devices during the manufacturing process. Firmware could be altered to allow it to hive data running over communications equipment to another company, or to allow a backdoor to be created for devices that are accessible from unauthorised sources. There are currently limited testing procedures in place to spot malware on these machine level components and an over reliance on often unmonitored, foreign production processes increases this risk.

Evidence that started to cast doubt on these foreign IT production processes first came to light over the Christmas period, when online shoppers purchased IT peripherals such as USB sticks, MP3 players and digital photo frames infected with malware, potentially infecting millions of home PCs. Given that consumer-targeted products are being infected at point of manufacture, its likely that corporate PCs and network components such as switches, routers, and firewalls may also have been compromised. These devices are made of thousands of components manufactured by different manufacturers, many of which will be running machine level firmware; this is where an effective and potentially devastating infection could occur.

Unlike malware written onto the hard drive or flash memory of a device, infected firmware is hard to spot. Traditionally, malware piggybacks on a device and is then transferred onto the hosting network; activity that can be detected by anti-virus software at the operating system level. But infected firmware bypasses the operating system layer altogether, with the device itself acting as the malware. Anti-virus or malware scanners are therefore unable to detect it as these technologies don’t have the functionality to scan to this depth.

Unless robust Quality Assurance processes are in place, the infected firmware would not be found. Even the most security-aware organisations do not routinely screen new infrastructure devices. The assumption is that they are fresh out of the box and un-tampered with. Any testing is generally done at an operating system or network level via penetration testing but this may or may not find a ‘back door’ hidden in the firmware of an infrastructure device. The UK government would be unlikely to spot the firmware based malware because the existing accreditation process doesn’t cover switches, routers and other devices at a low enough level. There is a very good chance that back doors may already be in place on critical network infrastructure in Government and Corporate networks.Ken Munro, Managing Director, SecureTest, advises, “Organisations should change their security policies and procedures immediately. This is a very real loophole that needs closing. The Government needs to act fast. Would they buy a missile from China, then deploy it untested into a Western missile silo and expect it to function when directed at the Far East? That’s essentially what they’re doing by installing network infrastructure produced in the Far East, such as switches and routers, untested into government and corporate networks. We are calling on the Government to tackle this issue through import channels. What is needed, and fast, is the introduction and enforcement of standards and penalties for non-compliance.”

SecureTest Ltd.