How to respond to device and software backdoors inserted or left by vendors

It’s bad enough when black hat hackers insert malicious backdoors into systems and software after vendors/makers have sold these into the marketplace. It is another matter when the vendors who create these devices and programs unwittingly or purposely leave backdoors inside their products.

With IHS forecasting an influx of 30.7 billion IoT devices by 2020 and 75.4 billion by 2025, additional products that could house vendor backdoors will flood the enterprise, multiplying the risks of these kinds of security holes.

CSO looks at vendor backdoors, how they get into products, the challenges to finding these, mitigating the easily infected openings, and responding to this hardware, software, and IoT-based dilemma.

These kinds of backdoors can be flaws, known components or characteristics designed to permit entry and control, or some unknown entry point left on purpose, any of which an attacker can abuse.

“Many vendors intentionally allow remote access to their products to enable patching, administration, upgrades, metrics gathering, and bug fixing. If the user does not know about and explicitly allows this remote access, this would be considered a backdoor. If the user knows about the vendor’s remote access capability and allows the access to exist, we would not consider this a backdoor,” says Andrew Howard, chief technology officer at Kudelski Security.

Since the Snowden and WikiLeaks incidents, vendors, most notably in the U.S., have been more forthcoming about the existence of backdoors, stressing that they are required by law to implement these in certain products for the specific and exclusive use of the U.S. government, says Michela Menting, research director at ABI Research.

Challenges to uncovering vendor backdoors in devices and software

The number of software packages, applications, and devices in an enterprise make it challenging for organizations to examine these products looking for undocumented backdoors. “Most enterprises have a rudimentary product security program that relies on third-party databases, such as the National Vulnerability Database (NVD) that the U.S. Government hosts to discover potential backdoors in the products they use,” explains Howard. The NVD can include backdoors that vendors purposely leave behind and those that a negligent programmer forgets to close if these create exposure to criminal hackers.

This approach leaves a place for cyber thugs to enter these backdoors before the vulnerabilities appear in databases like the NVD, which would inform companies and enable them to patch, sandbox, or remove the software or device. “More advanced enterprises bring devices into a lab to identify potentially undocumented issues. As a general rule, finding backdoors is difficult and most organizations are not equipped to discover or remediate them,” says Howard.

In-depth product tests are extremely cost prohibitive for most enterprises. “Product tests can run anywhere from $30,000 to $150,000 for a thorough examination, depending on the depth required and the goals of the organization. This is for a single product; the results of the test would not give full assurance that the product is safe,” says Lawrence Munro, senior director of SpiderLabs EMEA at Trustwave.

How to mitigate the potential for these backdoors

To mitigate vendor hardware and software backdoors, an enterprise can undertake these four remaining steps, according to Munro. First, consider carefully whether the hardware or software product in question is necessary. “Do you need an IoT egg holder or toaster in an enterprise?” asks Munro.

Second, says Munro, make good decisions about what vendors you can trust. Make sure they demonstrate insightfulness and expedience in fixing vulnerabilities. Make sure they continue to develop the product actively and fix new bugs. Ensure they are a large, stable vendor that will not soon disappear or fail to provide support. Ensure that they use bug bounties or other bug reporting programs. Research the company for high-profile breaches and poor practices.

Third, says Munro, train your SOC teams to detect backchannels and covert communications across the enterprise network; have them study alerts and events inside the network so they can recognize potentially malicious traffic.

Fourth, Munro concludes, use the right software and hardware tools to detect backdoor communications, including SIEM tools, secure web gateways, firewalls, UTMs, and other network monitoring solutions.

How to respond to known vendor backdoors

When an enterprise does discover a product in their production environment that has a backdoor, they should take it offline where possible until they or the vendor resolve the vulnerability or they should isolate the hardware to contain the risk while deploying additional monitoring and controls around it, according to Howard.

Isolate the device (or software), according to Howard, in its network segment with no access or very little access to the corporate network to reduce any associated risks. “While it may be possible to compromise the device, this mitigation strategy makes it more difficult for an attacker to move throughout the enterprise network,” says Howard.

If the enterprise discovers a backdoor, reports it, and the vendor does not provide a fix, the enterprise could modify the hardware’s firmware in applicable cases to solve the issue, with the notable caveat that the vendor would no longer provide support for the device, Munro explains. “I wouldn’t recommend it unless you have a very advanced team and there are no single points of failure,” says Munro.

Backdoors in IoT

Vendors do not design most IoT devices with security in mind. “The IoT connectivity angle means that post-market servicing of these technologies by the vendor is becoming increasingly commonplace. These are favorable conditions for the vendor to deploy new backdoors,” explains Menting.

To deal with the potential for backdoors in IoT, an enterprise must first assign a stakeholder who is responsible for these devices. Then when the enterprise discovers a backdoor, they can ensure that the business and security owners remediate it together. These risk mitigations often require trade-offs such as downtime and a potential loss of capabilities, which requires buy-in from both the business and security stakeholders, according to Howard.

According to Howard, there are options for remediating an IoT device that has a backdoor, including removing, patching, or monitoring the device, or placing it on its own network segmentation as you would with any other device (and perhaps software) with a backdoor.

Until IoT device security is a priority for manufacturers (i.e. when it is considered a market differentiator or regulator), enterprises should assume that attackers have already compromised almost any IoT device, whether by using backdoors or otherwise, according to Howard. “This technique ensures a more risk-aware deployment strategy and seeks to minimize organizational exposure.”

Vulnerability reports

Trustwave recently revealed a backdoor in GSM-to-VoIP IoT devices from DblTek, a Chinese firm. If you can’t test every product you use, keep close watch of evolving vulnerability reports. In addition to the NVD, CVE Details and the Trustwave Security Advisories regularly publish new vulnerabilities, including backdoors. Careful searches on https://wikileaks.org/ can identify products with backdoors. “Examples include the recently leaked CIA manual, the NSA ANT catalog, and work done under the PRISM program (among many others),” says Menting.

Bring your comments through the front door of our Facebook page.