Factory-Infected Gadgets: What Next?
Decades ago Ken Thompson, the great information security pioneer, wrote a widely acclaimed paper, “Reflections on trust.” In this still much-read paper Thompson asserted that the computing community implicitly trusts those who develop software that is used, and raises the possibility that even mainstream programs and tools such as compilers could have built-in Trojan horse software that performs malicious functions without the awareness of anyone but the person who originally installed the Trojan.
Thompson was way ahead of his time. Over the years we have seen software come out of the factory, so to speak, with malicious code. Microsoft’s having shipped copies of Office with macro viruses in 1995 provides just one of numerous poignant examples. But computing technology continues to proliferate, and with this proliferation come new ways to build and ship systems and software that are malware-infected. Japanese camera-giant Olympus provides an excellent recent example. This company has recently distributed a warning to its customers concerning the Stylus Tough 6010 digital compact camera, which has been shipped with malware in its internal memory card. The malware, called the Autorun virus, does not infect Olympus cameras. Instead, if an infected memory card is connected to a Windows computer’s USB port, Autorun can copy itself to the system and then infect attached USB devices. A spokesperson for Olympus offered an apology for having shipped the virus with what is believed to be approximately 1700 cameras and stated that this company will do whatever it can to enhance its quality control processes in the future.
The Olympus story nicely illustrates just how much threat avenues have grown over the years. Not all that long ago, computers consisted of workstations, servers, and network devices. Contemporary computers include not only workstations, servers, network devices, but also small mobile devices (the security of which I have discussed in numerous previous blog postings), chips embedded in cars, model railroad engines and transformers, any device with a memory card, and much more. Many gadgets are computers, And anything with embedded chips (including memory cards) can also become infected with malware.
A Sophos employee was quoted as saying the problem is a need for better quality control. It is difficult to understand how someone who works for a major security software vendor could make such an ignorant statement. The real problem is not lack of quality control, but rather that security is too often an afterthought, not an initial consideration when requirements are developed. Security needs to be embedded early in the development cycle, e.g., during the requirements phase, not later, e.g., during the quality assurance phase.
Curiously, the Autorun function in Windows systems is now once again involved in the potential for the Olympus virus to spread in Windows systems. One would think that after the Conficker worm (which is still very much alive and well, by the way) experience, people would have enough sense to disable this function. But alas, I suspect that most have not done so. You can lead a horse to water, but…
So hang on to your seat. The day of the gadget virus and worm is almost certainly right around the corner.