March 14, 2008

Many Gadgets Hit Shelves with Pre-Installed Viruses

Some of the hottest new electronic devices are being found to contain factory pre-installed viruses that steal passwords, send spam and perform other nefarious tasks that make the systems easy targets for hackers.

The Associated Press recently reviewed several such cases involving some the most popular technology devices, including iPods and navigation systems. The analysis found that in most cases, Chinese factories, where many companies manufacture their products in efforts to contain costs, are the source.

At this point the problem seems to be the result of lax quality control, rather than organized sabotage by hackers or the Chinese factories themselves. For instance, a careless worker may have plugged an infected music player into a factory computer used for testing, the digital equivalent of the recent series of tainted toothpaste, pet food and toys traced back to China.

Although carelessness may be the simplest explanation, it is not the only one.

If a corrupt employee or a hacker introduces a virus at an early production stage, when software is uploaded to the device, then the problems could be far more serious and widespread.

Since electronics manufacturers and the companies they hire to build their products keep such secrecy its nearly impossible to know precisely how many devices have been sold, or to track the viruses. But given the nature of mass manufacturing, the numbers could be huge.

"It's like the old cockroach thing - you flip the lights on in the kitchen and they run away," said Marcus Sachs, a former White House cyber security official who runs the security research group SANS Internet Storm Center.

"You think you've got just one cockroach? There's probably thousands more of those little boogers that you can't see."

Los Angeles computer consultant Jerry Askew recently bought a new Uniek digital picture frame as a surprise birthday gift for his 81-year-old mother.  But it turned out the digital frame tried to upload more than just the family's photos. 

After plugging the frame into his Windows PC, Askew's antivirus program alerted him to a threat, and he learned that the $50 frame, built in China and bought at Target, was infested with four viruses, including one that steals passwords.

"You expect quality control coming out of the manufacturers," Askew, 42, told the Associated Press. "You don't expect that sort of thing to be on there."

Security experts say they suspect the malicious software is being loaded at the final stage of production, when gadgets are pulled from the assembly line and plugged in to a computer for final verification testing.  If the testing computer is infected, for instance by a worker who used it to charge his own infected device, that virus can then spread to anything else that gets plugged in.

Even though the recent infections appear to be accidental, security experts point out that the situation presents an avenue of attack that could be exploited by hackers.

"We'll probably see a steady increase over time," said Zulfikar Ramzan, a computer security researcher at Symantec Corp.

 "The hackers are still in a bit of a testing period - they're trying to figure out if it's really worth it."

And experts warn that thousands of people with expired or non-updated antivirus software may not even know their device is infected.  And even with protective software, it may not be enough.

According to security researchers at Computer Associates, in one case digital frames purchased at Sam's Club were found to contain a previously unknown bug that not only steals online gaming passwords but also disables antivirus software.

"It's like if you pick up a gun you've never seen before - before you pull the trigger you'd probably check the chamber," said Joe Telafici, vice president of operations of McAfee Avert Labs, the security software maker's threat-research group.

"It's an extreme analogy, but it's the right idea. It's best to spend the extra 30 seconds to be sure than be wrong," he said.

For now, consumers can best protect themselves from most factory-loaded viruses by running an antivirus program and keeping it updated. The software checks for known viruses and suspicious behaviors that could indicate an attack by malicious software code - whether acquired in a download or through a device attached to the PC through a USB cable.

According to the Associated Press report, one information-technology worker wrote to the SANS security group that his new digital picture frame contained "the nastiest virus that I've ever encountered in my 20-plus-year IT career." Another said his new external hard drive had malfunctioned due to a pre-loaded password-stealing virus.

Providing oversight to Chinese suppliers is costly, and cuts into the savings of outsourcing.  But Yossi Sheffi, a professor at the Massachusetts Institute of Technology specializing in supply chain management, says it's something U.S. companies must do to prevent assembly line contamination.

"It's exactly the same thing, whether it happened in cyberspace or software or lead paint or toothpaste or dog food - they're all quality control issues," Sheffi said.

While manufacturing breakdowns happen infrequently, they have become common enough to warrant more scrutiny by companies that rely on them, Sheffi said.

"Most of the time it works," he said. "The Chinese suppliers have every reason to be good suppliers because they're in it for the long run. But it's a higher risk, and we've now seen the results of that higher risk."

For its investigation on the issue, Associated Press contacted some of the world's leading electronics manufacturers to obtain details on how they guard against infections, including Hon Hai Precision Industry Co., based in Taiwan with an iPod factory in China; Singapore-based Flextronics International Ltd. and Taiwan-based Quanta Computer Inc. and Asustek Computer Inc. All either declined comment or did not respond. And the companies whose products were infected in those cases analyzed by AP refused to reveal details about the incidents.

Of those companies that acknowledged factory infections, all said the problem had been corrected steps had been taken to prevent recurrences.

The AP said Apple had disclosed the most information, explaing the virus that infected a small number of video iPods in 2006 had come from a PC used to test compatibility with the device's software.

Leading consumer electronics retailer Best Buy said it pulled the infected China-made frames from its shelves and took "corrective action" against its supplier. But it declined repeated requests to provide further details.

Sam's Club and Target said they are investigating complaints but have been unable to verify whether or not their frames were infected.

Legal experts say these manufacturing infections could become a significant problem for retailers that sell the infected devices and the companies that make them, if customers can show they were harmed by the viruses.

"The photo situation is really a cautionary tale - they were just lucky that the virus that got installed happened to be one that didn't do a lot of damage," said Electronic Frontier Foundation's legal director Cindy Cohn.

"But there's nothing about that situation that means next time the virus won't be a more serious one."