Manufacturing backdoors

Back in May I discussed the probability of hardware backdoors http://geraintw.blogspot.co.uk/2012/05/hardware-backdoors.html, where claims that organisations were building backdoors into products they were manufacturing for 3rd parties. Since then there has been a continuous discussion over Huawei and its products and actions by the USA and Australia about blocking Huawei

However today there was an article on the BBC http://www.bbc.co.uk/news/technology-19585433 about malware being inserted onto the PC's during manufacture, my first reaction was not surprise but why has this not been found before.

In 2008 there were reports http://www.pcadvisor.co.uk/news/photo-video/11985/best-buy-pulls-infected-digital-photo-frames/ of Digital Picture Frames infected with Malware that infected computers that the picture frames where connected to.

Back in 2007 there were reports of brand new hard drives http://www.zdnet.com/seagate-ships-virus-infected-hard-drives-3039290782/ infected with viruses being shipped.

Criminal gangs have been involved in cyber crime for many years, so why has it taken to now for the problem of malware introduction during manufacturing to come to light. It would be interesting to see what quality controls where in place to test the integrity of the hard drive images in the affected factories. The question that will be asked was this state sponsored or a criminal gang responsible.

It is not just hardware that is at risk operating systems are at risk as an example the Linux Kernel server in 2011 were attacked http://www.theregister.co.uk/2011/10/04/linux_repository_res/ and in 2003 an attempt to put a backdoor in the kernel was thawted http://www.theregister.co.uk/2003/11/07/linux_kernel_backdoor_blocked/

Over the years a number of cracked versions of Microsoft Windows (black versions) have circulated, other than being free, a common feature where all the inbuilt compromises in the operating system, those who downloaded it got more than they wanted for a piece of free software.

There will always be a need for new hardware and software to be tested for vulnerabilities in any environment where the user requires security, however many organisations don't have the resources to do the testing.