The Supply Chain Looks Like A Bunny Rabbit With A Drum

Just in case you are not familiar with the Energizer Bunny take a quick look here to see the energetic bunny in action.

The SolarWinds compromise has elevated already serious concerns about supply chain attacks (I’ll get to the bunny, bear with me), many people will breathe a sigh of relief because they don’t use the vulnerable product. In other words, SolarWinds isn’t part of their supply chain, at least not directly. But few people pay attention to their own vulnerable supply chain. Even large corporations and governments may very well be unaware of what they have that must be considered a supply chain attack vector. To make my point, let’s go to a story you’re sure to get a charge out of.

My favorite supply chain example is from 2010 and involves one of the most seemingly innocuous products you could imagine – bunny rabbit power supplies. Not actually the batteries themselves, but rather software for a battery charger. A vulnerability in the software allowed remote system access. A relatively innocuous supply chain threat, but the purpose of this example is to begin to draw focus to some supply chain threats. Fortunately, the charger and software did not have a MAC address or phone home functionality (that we know of), but that is not the case for many products that are not perceived to be supply chain threats.

Five years prior to Bunnygeddon, Sony BMG decided to install a rootkit and spyware on 25 million music CDs. Under the auspices of copy protection, Sony infected hundreds of thousands of computers including computers in thousands of US Military networked. Despite opening these computers up to threat actors, there is a bright side. According to Sony BMG’s former VP Global Digital Business and US Sales & Distribution, Thomas Hesse, “Most people, I think, don’t even know what a Rootkit is, so why should they care about it?” I for one have slept better for years knowing that I don’t need to care about rootkits!

The real takeaway from the Sony example is that your employees are supply chain. Consumers bring consumer products into work regularly. Many of these products are quite happy to lurk in the shadows. I call it “Shadow IoT.” These are devices that are outside of the visibility and control of IT but are still able to be on the network and compromise a system. Seriously, would you like to “bet” on whether or not an IoT fish aquarium thermometer can be a threat?

Before I continue this thought it would be useful to take a look at what Ken Munro from Pen Test Partners found when pen testing a Wi-Fi water kettle. Although Ken’s entire TEDx talk on IoT Security (or lack thereof) is well worth listening to, the iKettle story at the 4:45 mark should have you banging your head against the wall. Unlike our battery charger software, IoT devices can cough up your Wi-Fi network password. Sweet! Oh, and it’s easy to find where the iKettles, and other IoT devices are located. I do recommend watching Ken’s entire TEDx talk. The IoT padlock lock is insane and making IoT kids dolls swear is just wrong. Funny as hell, but wrong.

So, maybe you don’t have IoT kettles, dolls, and padlocks at your place of business, but what “innocuous” IoT devices you have now, or will you have at some point in the future? Perhaps a smart refrigerator? It sure is convenient if the refrigerator can track supplies. It can leave more time for an employee to engage in more productive work, but at what risk? The Samsung model RF28HMELBSR refrigerator doesn’t monitor supplies, but it does conveniently allow you to check your Google calendar right on the refrigerator door. And at no extra charge the refrigerator allowed Gmail credentials to be swiped by a hacker on the same network. Who is going to be on the same network that your fridge is on? My parents recently moved into a retirement community that has public Wi-Fi all over the community. What was that about being “on the same network?”

In some industries washing machines are standard equipment. The problem is trying to find a new washing machine with a Wi-Fi module included. As reported in CYBERSCOOP, a washing machine that is commonly found in hospitals could be hacked into, have malware installed, and given that foothold, network traversal becomes a serious concern. And hey, about those hard-wired or Wi-Fi networked printers.

When you order equipment and supplies for your company, look to see if there is a power cord, batteries, or other power sources. If any of these conditions are true then it’s a dangerous IoT device until proven otherwise.

I’m not saying that IoT devices will cause the demise of your network, that’s what Windows Updates are for. I’m not saying that you can’t or shouldn’t use any of these devices, I’m simply regurgitating decades of ignored advice… be aware of what you have in your environment, and secure it as possible.

I was once asked how to make a smart home secure. My answer was “make it stupid again.” I couldn’t make my new washing machine stupid, so I quarantined it. The washing machine has no access to my router and in the spirit of proactive defense in depth, I blocked its MAC address at the router too

Randy Abrams
Senior Security Analyst
SecureIQLab