Is Malware Being Installed in Your Products Before They Leave Your Factory?

By George N. Saliba, Managing Editor On Nov 21, 2017

If end users receive new computer equipment or other tech devices directly from manufacturers, the fact that undetectable malware may have been installed within them during the manufacturing process (remotely, and without the manufacturer having any clue), is an unfamiliar concept to many businesspeople and consumers alike. Yet, this is an alarming industry reality against which manufacturers must remain vigilant.

Carl Mazzanti, president of Hoboken-based eMazzanti Technologies, an IT firm with subject matter expertise in this and other areas, explains that manufacturing production lines are often connected to the internet in some direct or indirect way, thus providing global criminals potential access to products before they have been secured.  A criminal may: inject malware; inject malware that remains dormant until the device’s internal clock activates it, months later; or infect IoT (Internet of Things) devices that never generate enough network traffic to illicit suspicion within an end-user’s network, even as they surreptitiously gather data or otherwise explore that network environment, for example.

Mazzanti says, “We had a prospect call us and say, ‘We can’t believe this is happening, but we literally bought 100 brand new computers from the manufacturer, and – out of the box – our intrusion detection system is saying they are infected.’ [The prospect ultimately] went back to the point-of-sale manufacturer and said, ‘Your machines are infected, and they were infected in the manufacturing line.’”

It bears repeating that malware may be undetectable, so the above example was perhaps a better-case scenario conclusion.

What can manufacturers do to secure their production lines?  They may believe that simply removing their production lines from any internet connectivity would solve the issue, yet if they are manufacturing a product that has “high value,” this may not be enough.  USB drives can be infected with malware, and overall controls/protocols must be established.

Mazzanti additionally explains, “One of the realities is that the majority of manufacturing facilities don’t currently do any scans or code reviews or assessments of their onboard systems … It is currently not part of their QA testing.  That’s one [step they can take]. Two, they can take a sampling of the units, as they are going through [the production line], which is another QA test, and set them up on the lab, where they proxy all the traffic coming out of the device.”

Manufacturers can also use “white lists,” so that only explicitly known and approved software applications can operate in their production lines. There are, of course, no perfect solutions, because a bad actor may – in effect – override these white list settings.

Mazzanti broadly outlines, “You have to make your [manufacturing] environment less appetizing for someone, meaning the cost structure for the return is too high.  The barrier to get what they want is too expensive for them to effectively come after you. [To establish that] requires an ongoing vigilance.”

He adds that there is today no compliance or regulatory boards examining manufacturers’ security, unlike the medical world’s HIPAA compliance or the merchant services sphere’s PCI compliance.

Mazzanti says, “The smart manufacturers will bring in someone to do the assessments; the mid-range ones are going to try to do their best, and the at-risk ones are going to try to control their costs, and will probably no longer be in business, in 10 years.”