Risk analysis: Are risk managers identifying spyware in the supply chain?

Accusations that Russia tried to spy on delegates at the G20 summit in Saint Petersburg last autumn using compromised USB sticks and mobile phone chargers have led to fears that simple hardware bought by companies could put their secrets at risk.

Russian president Vladimir Putin moved swiftly to denounce the allegations made by two Italian newspapers, but the idea of such technological vulnerability raises important questions for risk managers. How can you be sure equipment bought and used by your company and your employees is not being used against you to steal information or eavesdrop?

With corporate espionage on the rise, it seems companies and individuals can never be 100% certain of security and safety, and policies to prevent IT hacking may not cover this. There are also fears that products are having hacker ‘backdoors’ built into them during manufacture. 

So what risk management procedures do organisations have in place to guard against threats from out-of-the-box equipment and machinery? 

According to the Kroll Global Fraud Report 2013/14, there is a need for increased spending by risk managers on management and compliance processes. Efforts range from thoroughly investigating the supply chain when new equipment is delivered to implementing Bring Your Own Device policies for employees. Awareness should also be raised about the dangers of accepting sample technology offered by third parties.

Kroll Advisory Solutions Eurasia chairman Tommy Helsby says: “Perpetrators of fraud are often thought of as faceless hackers in a distant land, but our experience shows that to be the exception rather than the rule. The greatest vulnerability is among those who have already got past most of your defences by virtue of being an employee, partner or contractor.

“It is vital that, as well as investing in technology, businesses mitigate the insider threat by focusing on areas such as staff screening and due diligence on partners, clients and vendors.”

Spyware in kitchen equipment

Information Risk Management technical director James Wootton highlights potential threats from everyday electrical items, such as the kettles in a company’s canteen. A recent Russian investigation claimed that Chinese-made kettles could contain hidden technology capable of connecting to a local wi-fi signal and transmitting sensitive data to a third party – drawing on the appliance’s power source to operate.

Wootton says: “The prevalence of inexpensive computing platforms and, at state level, the ability to create small, bespoke devices, would suggest that embedded attacks are on the increase. 

“The device is energised when the kettle or toaster is powered and it will seek out insecure wireless networks to communicate, performing attacks or reconnaissance, or waiting for further instruction.

“While, on the whole, secreting such devices within batches of consumer goods would seem reactively untargeted and opportunistic, it has also been suggested that such devices have been found embedded in mobile products.”

He continues: “Companies must consider their supply line. An interested party will look for the weakest attack vector. This may be a supplier or partner organisation/company that has been infiltrated, and spyware secreted within control, administrative or production systems. The sophistication and availability of devices capable of being embedded will increase and bring with it an increase in this novel but threatening attack vector.”

Corporate security specialist KCS Group’s chief executive Stuart Poole-Robb says a major risk is not spyware embedded at source by manufacturers, but espionage technology being placed into products such as computers or phones during less secure stages of the supply chain – for example, when they are shipped to a distributor, transporter or reseller. 

Supply chain weaknesses

Poole-Robb says: “The exploitation of supply chain vulnerabilities has become an emerging trend. It should be taken very seriously indeed, as the impact is far-reaching, costly and destructive.”

“When people buy a new PC, they often expect that machine to be secure out of the box. The fact that malware is being inserted at such an early stage in the product lifecycle turns this on its head and means that no matter how discerning a user is online, their caution becomes irrelevant if that PC is already tainted.”

He adds: “Everyday appliances are having GSM [Sim] cards installed in items such as three-way adaptors, TVs and telephones. We have even found a transmitting device in a lock on the office door of the chief executive of one of our clients.  

“More recently, we discovered an electronic eavesdropping device under the desk of the chairman of the advisory board of a blue-chip German company, and in the executive washrooms of one of the world’s leading insurance companies.”

To offset these kinds of risks, says Markel International insurance underwriter Dominic Yau, it is crucial to choose the right insurance product. 

“These products can include cover for the costs of rectifying damage caused by spyware to the internal systems at factories and manufacturing facilities,” he says.

“It is imperative that policies come with rapid-response helplines to deal with these types of issues.”

Other security analysts agree that concerns over embedded spyware in machinery and communications technologies – such as eavesdropping abilities in mobile phone batteries – are real and growing.

Kaspersky Lab senior security researcher David Emm insists that businesses cannot afford to be complacent. 

“If your organisation has never suffered a targeted attack, it’s easy to tell yourself that ‘it won’t happen to my business’, or even to imagine that most of what is written about these kinds of threats is just hype,” Emm says. “It’s important for organisations to invest in security, and to increase awareness of these risks throughout the business.”