The global supply chain has become a "major worry" posing potential dangers to electronic components in embedded systems and malicious code in software, according to a report on emerging threats issued by the Georgia Institute of Technology.
A handful of companies are taking a far more paranoid approach and not trusting the supply chain at all.
Georgia Tech Emerging Cyber Threats Report 2013
The report, issued in conjunction with the university's 2012 cybersecurity summit, outlined emerging security threats that need to be addressed by researchers. Supply chain assurance is stymied by a number of issues, including complex global economic and jurisdictional problems, the difficulty of monitoring and controlling various parts of the manufacturing process, and the ease at which modifications can be hidden in embedded systems.
Current strategies to catch any attack through the supply chain will most likely fail, according to Georgia Tech's Emerging Cyber Threats Report 2013 (.pdf). Some firms are conducting random tests on devices. The goal has been to focus on detecting counterfeit hardware or spot check for embedded malware. "Finding changes is a difficult, time-consuming process," according to the report. "A handful of companies are taking a far more paranoid approach and not trusting the supply chain at all."
Georga Tech researchers are looking at more proactive strategies, the report said. Ways are being developed to attest the foundational components of an information-technology system to detect modifications.
The issue of supply chain security came to a head recently when a congressional report warned that telecommunications providers Huawei and ZTE could not be trusted. It "strongly encouraged" enterprises to consider not doing business with the China-based telecom giants. At a recent conference on cloud security issues, Huawei CSO David "Andy" Purdy said his firm is committed to working with the United States and added that it gets hundreds of components in its equipment from U.S.-based manufacturers.
Mobile ecosystem keeps devices secure
Meanwhile, the report touts the strong and diverse mobile ecosystem for keeping mobile devices relatively secure. Despite the perceived threats posed by mobile malware and other attacks on smartphones, tablets and other devices, "managed app stores and the ability to remove malicious apps from devices has made it more difficult to exploit a large number of devices," the report said.
The report highlighted the growth of malicious Android apps as an area of concern. The issue is less of a problem in the United States, but in China and Russia, infection rates are as high as 40%, according to the report. Infrequent patching issues by carriers and manufactures pose a serious problem and the development of mobile wallets are likely to attract the attention of cybercriminals, the report said.
But the report found that monetizing compromised devices has been difficult with attackers sticking mainly to SMS Trojans and other text messaging-based attacks, designed to rack up premium rate charges on mobile devices.
"The ubiquity of mobile devices means that security researchers and cybercriminals alike will conitinue to test the security of the platforms," according to the report. "We expect novel attacks and new ways to monetize mobile devices to emerge."