The purchases were made by U.S. Army and Air Force employees using payment cards issued by government-related purchases under $10,000.
The report that unveiled this data listed, in particular, Lexmark printers, GoPro cameras, and Lenovo computers as products that could be exploited by U.S. adversaries to gain access to the DoD networks.
Electronics Point has spoken to 4 security field experts to assess the potential damage these devices could cause and what could be done to prevent it both technically and in terms of regulations.
Structurally Insecure Products
“Starting from the basic idea that no hardware or software can be considered 100% secure,” Simone Quatrini from Pen Test Partners tells Electronics Point, “the Cyber-Security department at the DoD had simply requested that some brands—mainly Chinese—should not be purchased in connection with espionage risks.
“This warning has been ignored by some of the employees, who have effectively bought that software and hardware.”
Quatrini explains that, without the need for sophisticated tools, there are websites such as CVE Details which regularly lists device vulnerabilities.
“Looking at the list of the known vulnerabilities related to Lexmark devices, for example, it is noticeable how only 2 new vulnerabilities have been discovered in 2019, and that the majority of all known vulnerabilities can be exploited only by direct access—[i.e. via the] same network—to the device.”
A GoPro camera. Image courtesy of Pexels.
For that reason, Quatrini thinks that, even if malicious software were installed on these printers, attackers would not be able to run it unless they were physically in the DoD building.
“I wouldn’t expect the DoD to expose its printers on the internet,” Quatrini adds.
In terms of GoPro vulnerabilities, Quatrini says he’s not aware of any discovered in 2019.
“In any case, the issues related to how insecure a GoPro can be are mainly related to a situation when the camera is connected to its smartphone app via Wi-Fi.”
A nearby attacker could sniff these waves and decrypt them later, thus being able to watch the video that was being streamed at the time of the attack.
“On a positive note, GoPros stop transferring videos while they’re recording, so all an attacker would see is a 2-frames-per-second streamed video transmitted just before a photo or video.”
As far as Lenovo’s hardware is concerned, this is not the first time they were deemed insecure by the U.S. government. In fact, there have been allegations about the company’s products since 2015.
However, the history of vulnerabilities of these devices is not the bigger concern when it comes to security, warns Joseph Steinberg, Cybersecurity and Emerging Technologies advisor.
Talking to Electronics Point, Steinberg maintains that the bigger issue in the eyes of many is that Lexmark and Lenovo are Chinese companies, who ultimately answer to the Chinese government.
“Last year, a Congressional report stated that Lexmark had connections to Chinese cyber-espionage programmes, and, for over a decade, various U.S. government agencies have instituted various bans on the use of Lenovo products,” Steinberg says.
“In 2006, for example, after reports surfaced that some Lenovo computers contained surreptitiously-installed cyberespionage technology, the US State Department banned the use of Lenovo computers on any of its classified networks.
A decade later, the Joint Chiefs of Staff Intelligence Directorate warned that the devices posed a risk to essentially all Department of Defense networks, both classified and unclassified.”
Military helmets and electronics on display. Image courtesy of Bigstock.
The Fragile State of US Security Regulations
“Given the size of the U.S. military budget, the acquisition process is diverse and complex with many regulations, warnings, and alerts to monitor,” says Georgia Weidman, founder and CTO at Bulb Security LLC.
“For large acquisitions, often a variety of equipment is acquired, which means a given programme has very complex compliance requirements. Additionally, for smaller purchases made by credit card or micro-purchase programmes, the purchaser may not be aware of the security considerations. So it is a very complex problem that affects large and small acquisition programmes,” Weidman explains.
The source of these problems could also derive from the fact that companies and governments are buying devices under the assumption that, if the hardware and other devices are being sold, then they must have been thoroughly tested for security, Rebecca Herold, CEO of The Privacy Professor tells Electronics Point.
“Of course, this is a faulty assumption that is generally not true.”
Herold says that hardware purchases are often made using requirements that are not based on cybersecurity, but more on price, estimated longevity of the equipment, support and maintenance promises, and availability in all regions or locations where the equipment will be used.
Another influence are the deals that the sales representatives are making and the types of relationships between the buyers and the vendors.
“I’ve rarely seen the IT hardware acquisitions area include rigorous requirements for security validations, much less any check on security at all. Usually addressing cybersecurity of hardware is something that is done after the purchase has been made,” Herold says.
“It is something that chief information security officers have to deal with all the time … trying to secure inherently insecure equipment after some other business or operations unit has already made the purchase.”
However, the fact that DoD agencies have repeatedly ignored previous cybersecurity alerts in the past makes the issue an urgent one, especially at a time when the Chinese trade war is at historical peaks, and the U.S. is still heavily reliant on Chinese hardware.
Herold mentions the April 2018 ‘Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology’ report as an example of how China has been dominating the other south-east Asia countries with regard to providing mission-critical components to 7 huge U.S.-based tech companies.
“Considering the capabilities possible, that can be engineered into these components to surreptitiously send back to China the IP collected from the associated networks and attached hardware where those components are located. It really does seem like the military should be highly motivated to rigorously test the security of all their hardware before implementing it within their digital environments and networks,” Herold warns.
This, however, did not seem to be the case. The recent Pentagon report shows that, despite recent U.S. government warnings, Lexmark printers, for example, were still certified for use and available for purchase through the Navy Marine Corps Intranet COTS Catalog in February 2019.
These errors would be due to the fact that the DoD failed to establish an official team to develop a strategy for managing cybersecurity risks and compile a list of approved products that staffers could consult before purchasing.
According to the report, the DoD tried to do this in the past with the Office of the Under Secretary of Defense for Research and Engineering Joint Federated Assurance Center. Unfortunately, the DoD would have failed to grant it operational capability (which would involve giving the agency any actual decisional power).
“In serious societies and especially in governments, any device destined to be used for working purposes should go through a proper IT department,” Quatrini says.
“There, security experts must carefully scrutinise the devices, both in terms of software installed, as well as their generic configuration. If the U.S. DoD had actually analysed these devices in the first place, there’s no way they would have passed the checks.”
According to subject experts, insecure electrically-powered devices can pose a risk to economic and national security in military hands. Image courtesy of Pixabay.
When it comes to risks, theoretical considerations open up a wide spectrum of possibilities, based on [people] not knowing specifically what these devices are actually doing, Herold clarifies.
“However, if the military is using such devices within their networks and in the field, [then] at a high level, it creates the possibility of significantly heightened risks to, not only U.S. national security, but also economic security.”
When it comes to this, Harold explains, we should be asking ourselves questions such as: what are these devices sending to economic competitors in other countries? What military secrets are these devices sending to other countries that may be providing weapons and computing devices to countries with whom the U.S. is actively engaged militarily?
“Bottom line—ignorance of such vulnerabilities in the devices the U.S. military is using is not bliss: the lack of full awareness and transparency into the actions and subversive data sharing/leaking/stealing of the devices in the military’s digital environment could lead to catastrophic events.”
Harold says U.S. government leaders and intelligence agencies often seem to be consumed by efforts to compel backdoors in security tools, such as encryption, in the name of security, while at the same time ignoring the more significant threats that using these vulnerable devices presents to the U.S. itself.
“It’s like requiring everyone’s house to use 5 different types of locks on the front door, while not caring that the backyard gate, back doors, and all the windows in the house, are left wide open. Short-sighted consideration of security risks leads to wide-ranging exploitation of those risks—to the detriment of entire nation-state populations.”
A Possible Solution?
Right after the publication of the Pentagon’s report, two U.S. senators have introduced a bipartisan bill named the 'Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property and Supply’, aka the MICROCHIPS Act.
This should spur the U.S. government to pass a law for the creation of a state agency in charge of testing hardware and software that is ultimately going into the supply chain of the U.S. military and other federal agencies.
“The current U.S. military standards need to be updated to reflect the evolving threat landscape that currently is changing as a result of new tech, which seems—by all published accounts—too often buggy from a security perspective, and not patched or fixed adequately by the IT providers who are all trying to release their devices as soon as possible for economic competitive advantage,” Herold explains.
“More rigorous security testing is needed on devices before they are released into production.”
All U.S. organisations should also cease accepting the increasingly common practice of IT companies making buggy devices available, and then fixing found vulnerabilities within them after the fact, she adds.
“We need to stop playing security-whack-a-mole with the tech we are using—not only in the military and government—but also in all other types of organisations. If large tech companies would truly realise the value of more rigorous security and privacy, [start the] testing of their tech before making it available, and see that it would be a competitive differentiator—imagine all the IP that would not be stolen, the military secrets that would stay secret, and the breaches that could be prevented.”
On the other hand, Steinberg notes that—more than introducing new regulations and standards—existing ones should be enforced more efficiently.
“If the DoD has policies against using a particular device, employees should not be able to purchase such devices and connect them to DoD networks—regardless of the purchase price,” he explains.
“Those devices should obviously also not appear in any internal COTS catalogues, and the risks of using such devices should be communicated clearly to everyone working within the DoD. Once such communication has been sufficiently delivered, there should be consequences put in place for ignoring such directives.”