As attackers target the supply chain, is it time to think about inspecting imported hardware and software?
After a spate of stories about products shipping with malware, a Veracode blog asked “Is it time for random audits to expose compromised supply chains?” If backdoors pre-loaded on your switches and routers aren’t scary enough, this week, the firm TrapX issued a reporton a piece of malicious software they called “Zombie Zero.” TrapX claims to have found the malware installed on scanners used in shipping and logistics to track packages and other products. The scanners were manufactured in China and sold to companies globally.
What’s to be done? Security conscious firms need to take much more interest in the provenance of the hardware and software they buy. Firms, like Apple, that are big enough to have leverage might consider random audits of equipment and firmware looking for compromises. They might also insist on reviewing the manufacturing facilities where devices are assembled to see what kinds of quality controls the manufacturer has over the software and hardware that is installed in their products.
