Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Infected Firmware Threatens UK

OXFORD, U.K. -- Government and communications networks could be infected with malicious firmware imported from far eastern markets such as China, according to independent security penetration consultancy, SecureTest. Unlike current malware, machine level hardware such as the chipsets used in routers and switches and other computer devices are rarely tested and may already have established back doors in communications systems across the country.

Routers and switches require machine level software (known as firmware) to run. It would not be difficult for an insider to install or write malware into the firmware of these devices during the manufacturing process. Firmware could be altered to allow it to hive data running over communications equipment to another company, or to allow a backdoor to be created for devices that are accessible from unauthorised sources. There are currently limited testing procedures in place to spot malware on these machine level components and an over reliance on often unmonitored, foreign production processes increases this risk.

Evidence that started to cast doubt on these foreign IT production processes first came to light over the Christmas period, when online shoppers purchased IT peripherals such as USB sticks, MP3 players and digital photo frames infected with malware, potentially infecting millions of home PCs. Given that consumer-targeted products are being infected at point of manufacture, its likely that corporate PCs and network components such as switches, routers, and firewalls may also have been compromised. These devices are made of thousands of components manufactured by different manufacturers, many of which will be running machine level firmware; this is where an effective and potentially devastating infection could occur.

Unlike malware written onto the hard drive or flash memory of a device, infected firmware is hard to spot. Traditionally, malware piggybacks on a device and is then transferred onto the hosting network; activity that can be detected by anti-virus software at the operating system level. But infected firmware bypasses the operating system layer altogether, with the device itself acting as the malware. Anti-virus or malware scanners are therefore unable to detect it as these technologies don’t have the functionality to scan to this depth.

Unless robust Quality Assurance processes are in place, the infected firmware would not be found. Even the most security-aware organisations do not routinely screen new infrastructure devices. The assumption is that they are fresh out of the box and un-tampered with. Any testing is generally done at an operating system or network level via penetration testing but this may or may not find a ‘back door’ hidden in the firmware of an infrastructure device. The UK government would be unlikely to spot the firmware based malware because the existing accreditation process doesn’t cover switches, routers and other devices at a low enough level. There is a very good chance that back doors may already be in place on critical network infrastructure in Government and Corporate networks.

  • 1