Tainted products--sabotage or shoddy manufacturing?
Panelists at the RSA security conference don't know why some products arrive on store shelves in the U.S. infected with viruses.
Updated 10:30 p.m. PDT with comment from ESET.
SAN FRANCISCO--Computer equipment is arriving on stores shelves in the U.S. with viruses and other malicious software, but industry insiders said at the RSA conference on Tuesday that they don't know whether it's the result of intentional manipulation or just poor manufacturing processes overseas.
In 2007 and last year, digital photo frames sold around Christmas time were found to be infected with malware, and in previous years GPS devices, hard drives, laptops from Toshiba, iPods, and USB keys that accompany Hewlett-Packard servers were found to have similar problems, said Marcus Sachs, executive director of national security policy at Verizon Business.
The Defense Department temporarily banned the use of thumb drives last year after USB memory sticks still in their packaging were found pre-infected with malware and in recent weeks there have been reports of ATMs that were modified before shipping to include a backdoor, he said.
"Can we guarantee that what's being built off shore when it comes to our country is exactly what we think it is?" he asked. "Today, if the conflict is going to be in cyberspace, our weapons are being built by our potential enemies."
The U.S. government has poisoned products used by enemies, he said. In the 1980s, the CIA fed software to Russia that had a logic bomb in it to sabotage the trans-Siberian pipeline, Sachs said.
"That shows that our own government in the United States is willing to do this," he said. "We have done this. We have poisoned the supply chain for critical infrastructures in other countries."
He asked a panel of industry leaders and government officials whether they thought such problems were the work of nation states purposely targeting the United States or whether it's merely a problem with "dirty manufacturing processes," like those that have led to recalls of all sorts of products that were manufactured in China.
No one had an answer. In fact, panelists said they were more focused on preventing software piracy.
"It's a fairly new world for our company and frankly other companies to deal with. We've cared about supply chain from an intellectual property perspective," said Tiffany Jones, director of government relations for the Americas at Symantec.
"I personally believe that much of what we see are...violations of norm of intellectual property which is in the counterfeit space," said Mitchell Komaroff, director of the Defense Department's globalization task force.
Later, he acknowledged the threat, saying: "The development products are already tainted with viruses...all of these are things a sophisticated adversary can take advantage of."
In an interview late on Tuesday with CNET News, James "Randy" Abrams, director of technical education and anti-virus firm ESET, said he suspected that most of the new product infections are accidental and due to situations like quality assurance test machines being connected to the Internet and getting infected. In the iPod case, he said his understanding was that the only iPods that appeared to have been infected were the ones that had been quality tested.
"My best guess is 99 percent of the time it is not espionage," said Abrams, who worked at Microsoft for years making sure the software the company shipped out was infection free.
The problem is likely due to "people with traditional manufacturing backgrounds who do not understand the implications of software and that your quality-assurance machine can't be connected to the Internet," he said. "There's a generation of manufacturing supervisors and employees that doesn't understand the digital age."