GUEST ESSAY: DHS tackles supply-chain issues over malware-laden smartphones

At the Black Hat security conference last August, researchers from the security firm Kryptowire announced that they’d discovered Amazon’s #1-selling unlocked Android phone, the BLU R1 HD, was sending Personally Identifiable Information (PII) to servers in China. The culprit was a piece of firmware update software created by AdUps Technologies, a company based in Shanghai.

Related article: How enterprises address mobile security

For many members of the audience, it was a major episode of deja vu. Just eight months earlier, the same company, Kryptowire, had announced they had discovered the exact same backdoor in AdUps software running on the exact same BLU phone. BLU claimed then that the existence of the backdoor was a mistake, and that the problem had been fixed. Clearly, it hadn’t been. Whatever changes AdUps made to its code reduced the amount of PII being transmitted, but didn’t stop the flow entirely.

The discovery—and re-discovery—of pre-installed malware has become a recurring pattern for many inexpensive Android phones. Just earlier this month, for instance, Check Point Security, the makers of a mobile threat prevention app, discovered malware pre-installed on 38 Android phones belonging to two unnamed companies. The apps were installed at some point in the supply chain after manufacturing, but before the phones were purchased in stores.


The apparent connection between such malware backdoors and foreign powers is even more concerning. AdUps Technologies also provides software to Huawei, a major Chinese smartphone manufacturer that is making a major push to enter the US market.

Though researchers haven’t found any backdoors in Huawei smartphones yet, the company’s close ties to the Chinese government have raised suspicions among US security officials. At a Senate hearing in February, FBI director Christopher Wray, then-CIA director Mike Pompeo, and Director of National Intelligence Dan Coats all said that they would never willingly use a Huawei smartphone due to security concerns.

As the stories above show, security researchers are capable of detecting these so-called supply chain attacks. However, as the number of models of mobile devices on the market continues to mount, the question becomes how to do such detection at scale. It’s a problem that the US government is attacking head-on.

Currently, the DHS Office of Cybersecurity and Communications is leading an effort to secure the federal government’s own technology supply chain by implementing standardized cybersecurity checks for contracts, similar to those already in place for factors like financial risk.

My own DHS Science & Technology Directorate is underwriting research that will assist these efforts. For example, in September 2017, we awarded more than half a million dollars to the Critical Infrastructure Resilience Institute at the University of Illinois at Urbana-Champaign to partner with Kryptowire to research cyber-threats pre-positioned in the supply chain. The project will create a framework that enables analysts to easily identify new threats, starting with an analysis of firmware updates. Also in September, we awarded funding to semiconductor company Qualcomm to develop a security layer that can be anchored in the hardware of a mobile device, allowing for continuous monitoring of third-party apps and services.

In short, mobile device supply chain vulnerabilities are a pressing problem that the government is making every effort to address. However, in the interim, individuals and enterprises should adopt precautions including following federal guidelines for mobile security defined by NIST. The safety of their personal data may depend on it.

About  the essayist: Vincent Sritapan is a Program Manager in the Cyber Security Division at the Department of Homeland Security Science and Technology Directorate.


*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: