Security

Don't worry, the virus is free with purchase

Using the best methods of personal security isn't enough when the electronic gadgets you buy come with the virus preinstalled. The current problem seems to be insufficient quality control practices but could become a cracking attack vector.

Why bother to engage in risky behavior on the Web to infect your electronics when you can purchase products with viruses preinstalled?

From GPS navigational systems to iPods to digital picture frames, lately we have no way of knowing if the software that powers the device is as virus free as the rest of our computing systems. So far, Tom-Tom GPS, Apple, Target, and Best Buy have been hit by what appears to be a laxity in quality control on the part of Chinese factories. It would seem that electronics have found their "lead paint" issues.

It is believed that the issue is not one of any organized effort to introduce the virus, but there is no certain way to know that. If a virus is introduced at an early stage of production when software is uploaded to the gadget, the problems could be more serious and more widespread.

From MSNBC:

Knowing how many devices have been sold, or tracking the viruses with any precision, is impossible because of the secrecy kept by electronics makers and the companies they hire to build their products.

But given the nature of mass manufacturing, the numbers could be huge.

"It's like the old cockroach thing - you flip the lights on in the kitchen and they run away," said Marcus Sachs, a former White House cybersecurity official who now runs the security research group SANS Internet Storm Center. "You think you've got just one cockroach? There's probably thousands more of those little boogers that you can't see."

According to security experts, the viruses are introduced at the end of the manufacturing cycle when the gadget is pulled from the assembly line and plugged into a test computer to insure that everything is working. If the test computer is infected, it will infect anything that is plugged into it.

While the current threat is considered to be accidental, it is also exploitable.

Also from MSNBC:

"We'll probably see a steady increase over time," said Zulfikar Ramzan, a computer security researcher at Symantec Corp. "The hackers are still in a bit of a testing period - they're trying to figure out if it's really worth it."

Whether or not it is worth it to a hacker, some of the viruses that have been sold along with the latest consumer toys are pretty harsh. And having up to date anti-virus may not be enough. In one reported case, the virus loaded on a digital frame sold at Sam's Club was a variant previously unknown. It not only steals online gaming passwords, it also turns off anti-virus software.

Monitoring suppliers is expensive and negates the cost savings of outsourcing. But it appears that it is also a requirement, as electronics join tainted toothpaste and poisoned pet food on the list of Chinese recalls.

This is not the first time that we have heard of preinstalled viruses, and it isn't likely to be the last. As technology consumers, about all we can do is try to mitigate the threat. That means that we will have to evolve our personal security efforts yet again.

What are your best tips to avoid being infected by a preinstalled virus? And how do you take those tips into the workplace to keep it safe?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

43 comments
narendra.seo
narendra.seo

Dr. Anton Chuvakin keeps his blog from California. A recognized security expert and an author, Chuvakin names his blog after his book- Security Warrior. Befitting to the name, every blog post seems to be a solution to various security problems and with the number of comments posted below every post proves the popularity of Chuvakin???s writings. IE AntiVirus

simon_mackay
simon_mackay

The main common issue with these devices is the fact that the device can mount to a general-purpose computer as a USB Mass Storage device ie: become a "drive letter" or "logical volume" in the computer's operating system. This is typically represented by the fact that the device will have a USB "upstream" connection so it can be directly connected to a computer and use the USB Mass-Storage class drivers present in recent operating systems. The situation described with this vector is that the test computer, which is a general-purpose computer typically running Windows or MacOS X, is connected to the device in order to test "host-device" file I/O operations which would be used for uploading / downloading music, images, maps and other data. The viruses in question would be the type that can infect logical volumes. If you are concerned about this vector, you could instigate a manual virus scan with the latest definitions on the logical volume that the device represents. All anti-malware utilities have a function for instigating a manual scan.

BALTHOR
BALTHOR

These aren't just kids messing around.These are full blown terrorists with a virus access to any computer system on the Earth.They're steering satellites and altering the price structure of everything that we purchase.Computer virus are as deadly as a suicidal maniac standing at your front door with a bomb strapped to his chest.I'm not kidding we could loose computers.

silversidhe
silversidhe

I'm amazed at how completely some people miss the obvious - China is obviously at war with us they just did'nt declare it. What does it take! How far can you take that "innocent" it was an accident...(I wonder if they do the shrug and upraised hands too?) bit. Although these are IT people they don't seem to realize the extent of computers in control of our world - they dont have a feel for the patterns and connectedness of things.

boxfiddler
boxfiddler

There is more than one way to wage war.

tim
tim

Come on, Balthor, give us some evidence to back up your claims. I spent a couple hours this morning removing a couple of stupid viruses but I never feared that I would lose the computer. It's up and running just fine now thank you. Steering satellites? Altering price structure of everything we buy? That kind of talk fits in alt.conspiracy but not here. We're just lowly computer techs trying to do a job.

Tig2
Tig2

But read his post history. Last year this time, Daylight Savings Time was an evil conspiracy. I love Balthor dearly. He should be nice to Beth but he isn't a bad person. Still, there is a place where you should recognize a couple of things. I don't know if he was badly burned by technology or has holes in his knowledge, but there are a couple things that he doesn't react well to. Global thinking shifts are both of them. And responding to a particular person in a thread is not his cuppa.

Neon Samurai
Neon Samurai

Either he's back on his meds or someone's slipped them into my water supply. Actually, it did take me a while to see the charm in Balthor's often incomprehensible comments. I'm surely not the one to be questioning how long it takes others to get it.

Jaqui
Jaqui

it's yet another reason to require these devices to be open source powered. with source code available from the company website, and an interface that allows the user to update the software at will.

joey.silayan
joey.silayan

the article is confusing. is it about laxing quality control, as per the title? or is it about china? perhaps author, you could've rephrased your sentence as, "So far, Tom-Tom GPS, Apple, Target, and Best Buy have been hit by what appears to be a laxity in production quality control." or perhaps even a "...laxity in outsourced production quality control." i'm not at all chinese. and personally, yes i think china has international issues to face up to. but perhaps, next time the author can refrain seemingly biased remarks and professionally stick to the topic at hand.

Tig2
Tig2

The title doesn't speak to the laxity of quality control. The security firms that have done the analysis *think* that this is the root cause. It is *thought to be* the result of infection on the QA system. It is not *known* to be So far, it is more than Tom-Tom, Apple, Target, and Best Buy. They are only the latest examples. The point of the story is two-fold. Just as we are learning new awareness about other consumer products, we are having out attention invited to a new awareness about electronic products. This new awareness should have us considering both our personal security strategy as well as business security strategy. It may well be that the current Best Practices model will no longer serve. I am very careful when presenting information to not judge what SOMEONE has done and try very hard to stay on discussing WHAT happened. I'm sorry you read bias into that.

GreyTech
GreyTech

Keeping up to date av and anti-spyware with heuristic detection turned on is half the battle. In the case of Sunbelt-software's Counterspy or the new beta version of Vipre get it looking for suspicious behaviour. This ensures that if something is trying to turn off your av or similar it has a reasonable chance of getting caught. Avoiding the problem is harder. Using Firefox with no-script helps. Buying products with reputable histories helps, but nothing is foolproof. Keep doing the backups and keep the logs of them so you have a chance of not reintroducing the problem from backup. Keep data backups separate from system ones. Then just hope that you are in the 90% that do not get a problem.

JCitizen
JCitizen

glad to see the problem revisited here!

Tig2
Tig2

From poisoned pet food to tainted toothpaste to lead laced toys, the import news from China has been grim. And now you can add electronic gadgets to the growing list of potential problems. What new best practices does this turn of events suggest to you? The electronic peripheral has become extremely pervasive and I would doubt that most people even know what to do to protect themselves. But the larger question is whether corporations know how to protect themselves from what could be the next attack frontier. How better to introduce malicious code than through the products a corporation buys? What new security issues do you see yourself and your company facing as a result?

seanferd
seanferd

I'm wondering how to test a lot of these items, especially components, for the malware that infects them. Aside from having the NSA send them to their testbed in California, there isn't much the average consumer can do, aside from security software or eyeballing files stored on a device. Of course, you can't do this with all devices or system components. An infected memory module, hard drive or camera would really annoy me. Considering all the expansion cards and whatnot available, if the hardware infection rate increases, this could really suck canal water.

JCitizen
JCitizen

on the Japanese site in this instance. You would think Trend would know better wouldn't you?! I'm having a heck of a time finding a replacement for Trend's desktop solutions. I need something that has personal data blocking. Agnitum's Outpost has it but they have a notoriously leaky firewall. Not that I was using Trend's firewall either.

mike_patburgess
mike_patburgess

I cannot believe that we are using a communist company to manufacture everthing and to support everything. We (yes we) are ultimately responsible for our own demise. Everyone should start to shop smarter.. no not Wall-Mart; but to manufacturers that are still in the US and Canada. I endevor to give my hard earned cash to the label that does not say Made in China. I try and shun those products whenever possible. China is now under a military build-up and funded by the West and Europe.. Grow up, write your politicians and be a combined voice to say enough is enough.

Neon Samurai
Neon Samurai

In economical terms, shopping local would be a great way to go for both direct access to the vendor and to support local economies. It's still cheaper to import though and what makes the gross profit margin bigger makes the decision makers and share holders happy. In terms of communism, china is becoming a very liberal version of it's older iron fisted (hehe.. in a few ways) communist block. It's a little scary to see capitalist markets emerging out of communist ethics but things are, a, changing. Buying local would be great for many reasons but it's just so much more profitable for big business too pay the overhead of shipping it in and still pay less overall for the product.

JesseLee
JesseLee

Where I work the best option for us is not to disable USB ports. Many staff members have to be able to move data from one physical location to another or from one computer or another so our best option is to use usb storage devices. From full fledged hard drives to jumpdrives, to the many peripherals our computers are hooked up to, USB is the only viable option for our PCs. When it comes to our Macs - they use firewire.

Fregeus
Fregeus

The mighty dollar has become more important than the safety and security of our customers, neighbours and friends. No one cares about quality anymore. The important thing is to maximise profit for THIS quarter. We'll deal with issues when they come (if everything goes to plan, ?'ll be out of here by then and I will of made a nice profit. Let the problem be someone else's problem). I am very distrot of how the markets are shaping these past few years. Even here, where i work. Who care if the solution is not the right one, it's what the customer wants and we need to do it with as little cost as possible. My current customer thinks that its outsourcer "takes care" of its IT infrastructure. If it knew the truth, I think they would get a heart attack. Then again, maybe they do and don't give a rat's a$$ about it. TCB.

rm.squires
rm.squires

I know I am still training for my career in IT, but I have had general experience at Tesco's. I wasn't too surprise to find that Tesco's didn't care about anything but money. But what I was surprised to find out that they had what looked like an extremely old version of windows server (definetely before 2000), interacting with a modern XP system. It had no visiable anti-virus and the only security system they had in place seemed to be passwords and usernames. I won't comment on the security practices of the staff towards usernames and passwords. Although they were backed into a corner, so to speak. (I won't say any more than that, as I would rather not risk the possiblility of gettin some of there staff in trouble.)

Blade4825
Blade4825

I have to agree with you, but it is more then just the bottom line for the stockholders. The consumers themselves have had a hand in steering things in this direction. For the sake of a cheaper product we have sold ourselves out and have now reaped what we have sown. And sadly what I see in the future is that if we start regulating what comes in from other countries to adhere to our standards we are going to wind up paying more for it anyway as it will then cost them more to produce it. As far as your customer thinking his IT outsourcer is taking care of him..there is the catch phrase "thinking" he doesn't have to think about it so he is happy with it. Until there is a problem and he then has to think about it then it becomes a different story.

brian.mills
brian.mills

So far the added virus threats haven't changed anything about the way I use my computers. Of course nearly every system in my house runs either Linux or OS-X, so that alone has done a lot to mitigate the virus risk. I know it's not foolproof, but combined with smart computing habits (and a lack of funds for new gadgets) I think I'm reasonably safe from viruses.

dlmeyer
dlmeyer

My Macs are "safe", but this is embarrassing for a Mac- lover. While fewer than 1% of all iPods come with such "extras", this could be seen as an attempt at sabotage. I see no reason why Apple can't insist on the use of its own Macs for the process of initializing the HDs - worst case, provide the servers themselves! Consider it "getting their toe in the door at Chinese IT", or some such. As for others, they could do something similar (I guess), but HP and Dell and the like would need to use *nux stations ... oh, yeah, like Macs.

Neon Samurai
Neon Samurai

"Oh.. say.. your right, one can jump through that software flaw.. oh my.. and you have the solution code included with your notice.. thanks.." Hehe.. different motivations, different architecture, different response to such things.

Jaqui
Jaqui

that all the *x based antivirus apps scan for WINDOWS viruses, not for any that can infect the host os? The fact is that the *x virus is way to short lived to be much of a threat, the holes they exploit are patched to quickly for them to spread much.

Tig2
Tig2

Will need to recognize that with the virus being shipped with the gadget, the whole "safe" thing goes right out the window. I use a combination of Clam XAV and Flying Buttress on my Mac and take that a step further by sitting behind a router. Very similar to how I managed in Windows. That said, I DID run an experiment in which I had no protection on the machine at all and encountered nothing. A clean Mac is a happy Mac.

Ed Woychowsky
Ed Woychowsky

On my current contract the company outlawed USB devices, excluding mice, in January. Using a flash drive is now grounds for instant dismissal. It might sound a little harsh, but there's a lot of sensitive information, mostly in the form of code and passwords, that could be used nefariously. All it would take is one keystroke logger to cause everyone here a world of hurt.

Tig2
Tig2

I know a number of companies that have outlawed USB devices. The CIA takes the step of filling the USB socket with a hardening epoxy so that it is not only disabled, it can't be re-enabled. But the companies that I know of that are doing this have had a tough time with enforcement. How does your company deal with file transportation if flash drives aren't an option?

JCitizen
JCitizen

CD! and I really appreciate that tip! Hopefully I'll get it compiled right, but the site makes it look very possible. Maybe this will help my Windows update problem I'm having on my main desktop unit.

Neon Samurai
Neon Samurai

A friend was told point blank that he could continue to use his USB toolkit but the first sign of any compromise due to it's use was on his head. I keep my old 512 USB with physical write protect around just so I can be sure it's not picking up nasties; provided it starts clean before I protect it. Like other techs, there are some tools you just can't live without and a flashdrive is a great way to carry them around. Still, one slippery bit of bad code and even a tech could be unaware they are carrying it too each desk side stop they make that day. We should be able to keep a storage drive clean but a busy day running from desk to desk is all it takes to miss scanning it. The risk is less but if you do have a breach, the results could be much more than a user borking just there workstation before the company AV spots it.

pmwork1
pmwork1

Never mind the virus, what about the bug, that imobilises the software. A promise of a patch perhaps within the next year, is not satisfactory to me. My solution, demand your money back from Microsoft or contact the local Fair Trading department. Since regardless of the Pseudo legal waffle that they send out with the software, they still have to conform with local "fit for purpose" laws. That is, if it doesnt work how they say it will work , get your money back. !!!!

Dumphrey
Dumphrey

I keep a fairly up to date UBCD4Win arround so I can boot a computer and scan for viruses, manage registry entries and or delete stubborn virus files from a live cd environment. Its a wonderful tool for sure.

Dumphrey
Dumphrey

if they were, since they would have to catch themselves. But remember when AOL use to get so much spam, even when compared to other ISPs? That was because several of the mail admins were selling lists of addresses to spammers... "We know how easy it is to catch someone doing it. Data theives tend to be those unaware of what monitoring tools we have at our disposal." But inmnay cases, we would be catching ourself, and destroying the evidence... come on... "Data theives tend to be those unaware of what monitoring tools we have at our disposal." Or the ones more familiar with it then anyone. How much you want to bet the NSA has a series of checks and balances to spread admin responsibilities across several departments, and distribute monitoring of services and data across several departments... I agree that a professional Admin is less likely to steal data, just as they are less likely to pirate software, but in an elevated security zone, these issues need to be addressed.

Vulpinemac
Vulpinemac

... did you know that some of the stuff coming out now actually infects the boot sector of the Master disk? It's able to hide there and load itself before any scanner can find it. I've read that the only way to locate one of these is to actually boot off of an optical disk where the scanner loads before anything else and then scan the computer from that.

mattohare
mattohare

I've known some of the people involved with a couple of cases. Thing with companies with this sort of a problem, they can hush up such a thing pretty easily.

Timbo Zimbabwe
Timbo Zimbabwe

"who is supervising the IT to make sure they are not compromising data, stealing assets?" How often do you here of an IT pro doing something like stealing data? Rarely if ever, know why? We know how easy it is to catch someone doing it. Data theives tend to be those unaware of what monitoring tools we have at our disposal.

Dumphrey
Dumphrey

filling the ports with epoxy would pretty much end the problem on the spot (of usb drives that is). But in this day and age, a network attached storage can be the size of a lunch box or big book, so a rogue could just save to that, or email data to themselves at home in an encrypted image.... Security quickly becomes an administrative nightmare, added to this, who is supervising the IT to make sure they are not compromising data, stealing assets? There are solutions for nearly every problem, some high tech, and many are very low tech, but USB devices are by far one of the largest threats to data security and integrity. And if devices are coming "out of the box" with a virus, as did one version on the iPod btw, then users could be infecting a corporate network with no knowledge or intent. The fact that the virus is there is no accident. Someone made sure it would be there, even if only on a few before it was noticed. This is definetly a problem. Lucky for me we only have two computers with "sensitve" data on them, both are in accounting. All other workstations are non-admin, with an up to date virus scanner. All saved files are redirected to a server share where they get scanned again every night by a different AV product. The two with sensitive data are not redirected, but are backed up regularly (encrypted backup). I also enabled EFS on them, and changed the password requirements for accounting to be more stringent. Also, the door to accounting is locked if no one is in the room. That being said, all I have done is keep out the lazy and the curious. but, in our environment, thats the #1 threat, as what data we do have is not worth a professional theft (I would think). I have not disabled USB on any of our machines, and most likely will not. Our shop is small enough that we can use file permissions to control access, and log such access. Also, having only been here a few years, Im still the "New Guy" (sales doesn't count, they come and go), the average employee has been here 15 years, so overall, we feel we have a certain level of trust where the employees are concerned.

Editor's Picks