Undoubtedly, you’ve heard the Capital One tagline: “What’s in your wallet?” Well, given last week’s bombshell report from Bloomberg, The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies, it’s not unreasonable to ask: “What’s in your device?”
Let’s take a step back for a moment. If you’re surprised by Bloomberg’s piece, you likely haven’t been following cybersecurity issues in any serious depth. Personally, I yawned when I read this piece, though it was very well done.
Here’s a 2008 – yes, 2008, not a typo – piece on how USB keys can be infected right at the manufacturing stage or somewhere along the supply chain with the end user never having the slightest clue they’re using a compromised device. In other words, this is an old story.
Don’t be fooled. Just because your device comes in a sealed box doesn’t mean your device is free of compromise.
Let me go further back, at risk of dating myself. During my undergraduate business studies, sometime in the 1990s, there was emphasis on two big management fads that I could never get my head around: outsourcing (and offshoring) manufacturing to lower your production costs, and just-in-time inventory as a means to lower your storage costs. Of course, I went along with it all, giving the professors what they wanted to hear and read, but these management tactics bugged me and continue to bug me.
On the latter fad, it’s easy: just-in-time inventory works great … as long as everything else in the supply chain works great! One screw up there and what happens? The entire machine comes to a screeching halt. If that screeching halt costs less than your storage costs, fine, you can make a case for it. But sometimes it’s not just about cost; it’s about cash flow. Very healthy businesses can go bust if there’s a disruption in cash flow. But that’s a deeper conversation for another time.
The outsourcing and offshoring of manufacturing is what matters to today’s cybersecurity concerns. Fine, you’re saving some manufacturing and labor costs, so you can maximize your short-term top line revenue and squeak out more profit, but have you understood what you really have done in the long term?
It’s two things essentially:
1) You’ve reduced your capability to make it yourself, and
2) You’ve given away your intellectual property.
The moment you show me how to make something, you’ve lost something of value. If we’re within the same jurisdiction, you may seek some remedy if I violate our terms, but from a very practical perspective, once that capability has been offshored, your ability to seek remedy diminishes incredibly.
Okay, okay, okay, I know what’s coming: what about international agreements to settle these disputes? Perhaps I am being too practical here, but good luck trying to chase down every case of IP theft and counterfeit that is happening in all parts of the world. Even if you can successfully prosecute a case, can you reasonably expect to be compensated for your loss? I’m not sure, especially if there is some greater geopolitical strategy at play.
And what is the cost to prosecute? That needs to go into your math as well. Sometimes it’s just not worth it to chase that bad debt.
There is also another aspect, which ties back into the Bloomberg piece: the moment you offshore your capabilities, the new host manufacturer – which could possibly have ties to the local, regional, or national government – can now learn how to modify the technology.
And that is what should begin to trouble you and make you wonder: what’s in your device?
In our personal and professional lives, we regularly seek conveniences, but we don’t always know the costs. Worse, one misstep can cause you serious grief. Let me illustrate with a personal example.
Sometime last year I needed a HDMI cable that would connect my phone to a monitor/TV (I’m not saying where I bought it from, but it’s a place you all know). Pretty basic. I wanted a simple cable: micro USB on one end, HDMI on the other, sparing me the extra adapters, which was my existing solution.
Note: I don’t like wireless solutions in this case because they’re a drain on batteries and if you’re connecting to public devices from a personal device, well … you’re connecting a personal device to a public device and that’s just no good!!!
So I get this cable shipped, and it seemed a bit odd to me. There was a manual on how to configure your device to connect, as it needed some wireless connection. That made no sense at all. This should be a simple plug-and-play device and it certainly gave that impression at first glance.
I started reading through the manual – written in some shoddy English – and I started giggling to myself. The moment I saw “put your device in developer mode” I said to myself: no way am I letting this thing near a device I care about.Enter curiosity.
I plug the cable into a device I have absolutely no interest in to see what loads and shows up on the screen. More giggles: some very sketchy looking user interface/menu to configure the device. Unplug that nonsense and let the curiosity keep going.
I look at the cable, and the HDMI end of the cable looks just way too big. It had to be more than a power/charging source (some cables have this and is totally legitimate).
Enter my trusty tools to break it open. This $10 cable suddenly became a science experiment.
My “cable” came fully equipped with single processor, 128 MB RAM/ROM, WiFi 802.11 a/c, and was running off Linux OS. All things you absolutely do not need for plug-and-play capability. And I’m willing to bet more than a shiny penny that this cable had a surreptitious E.T. “phone home” capability built in, hence the need to put your device in developer mode to operate.
Feel free to guess where this product was manufactured. And yes, I’m confidently still using my existing adapters to serve my needs.
Here’s what should scare you: there are millions upon millions of these devices floating everywhere, connecting our personal lives and corporate networks. Some are cables. Some are IoT devices. You get the picture.
Yes, I get it, we want convenience, but at what cost? Is your device “calling home” without your knowledge? I don’t want a device “calling home” even with my knowledge!
If you’re not taking your data protection seriously at the personal level, then these problems of data loss, breach, theft, you name it, will continue.
I am taking steps to protect my information and that’s a mentality we should all start to instill in our data handling practices. And it’s also a training issue, more than a tech issue, a key fact that often gets lost in the cybersecurity discussion.
Dan Geer, In-Q-Tel’s current CIO and famous non-user of a cell phone says: “Convenience, freedom, security – choose two.” My suspicion is that most people – willingly or not – pick the first two. Personal preference, I pick the last two.
Make sure you know what’s in your device.
By George Platsis, SDI Cyber Risk Practice
October 9, 2018