The purchases were made by Army and Air Force employees using payment cards issued by government-related purchases under $10,000.
The report unveiling this data particularly listed Lexmark printers, GoPro cameras, and Lenovo computers as products that could be exploited by US adversaries to gain access to DoD networks.
Electronics Point has spoken to four security field experts to assess the potential damage these devices could cause and how what could be done to prevent it both technically and in terms of regulations.
Structurally Insecure Products
“Starting from the basic idea that no hardware or software can be considered 100% secure,” Simone Quatrini from Pen Test Partners tells Electronics Point, “the Cyber-Security department at the DoD had simply requested that some brands–mainly Chinese–should not be purchased in connection with espionage risks.
“This warning has been ignored by some of the employees, who have effectively bought that software and hardware.”
Quatrini explains that, without the need for sophisticated tools, there are websites such as CVE Details which regularly list devices’ vulnerabilities.
“Looking at the list of the known vulnerabilities related to Lexmark devices, for example, it is noticeable how only two new vulnerabilities have been discovered in 2019, and that the majority of all known vulnerabilities can be exploited only by direct access—same network—to the printer, device.”
A GoPro camera. Image courtesy of Pexels.
For that reason, Quatrini thinks that—even if malicious software were installed on these printers, attackers would not be able to run it unless they were physically in the DoD building.
“To be entirely honest, I wouldn’t expect the DoD to expose its printers on the internet”, Quatrini adds.
In terms of GoPro vulnerabilities, Quatrini says he’s not aware of any discovered in 2019.
“In any case, the issues related to how insecure a GoPro can be are mainly related to a situation when the camera is connected to its smartphone app via Wi-Fi.”
A nearby attacker could sniff these waves and decrypt them later, thus being able to watch the video that was being streamed at the time of the attack.
“On a positive note, GoPros stop transferring videos while they’re recording, so all an attacker would see is a 2fps stream video transmitted just before a photo or video.”
As far as Lenovo’s hardware is concerned, this is not the first time they were deemed insecure by the US government. In fact, there have been allegations made towards the company’s products since 2015.
However, the history of vulnerabilities of these devices is not the bigger concern when it comes to security, warns Joseph Steinberg, Cybersecurity and Emerging Technologies Advisor.
Talking to Electronics Point, Steinberg sustains that the bigger issue in the eyes of many is that Lexmark and Lenovo are Chinese companies, who ultimately answer to the Chinese government.
“Last year, a Congressional report stated that Lexmark had connections to Chinese cyber-espionage programs, and, for over a decade, various US government agencies have instituted various bans on the use of Lenovo products,” Steinberg says.
“In 2006, for example, after reports surfaced that some Lenovo computers contained surreptitiously installed cyberespionage technology, the US State Department banned the use of Lenovo computers on any of its classified networks.
A decade later, the Joint Chiefs of Staff Intelligence Directorate warned that the devices posed a risk to essentially all Department of Defense networks, both classified and unclassified.”
Military helmets and electronics on display. Image courtesy of Bigstock.
The Fragile State of US Security Regulations
“Given the size of the US military budget, the acquisition process is diverse and complex with many regulations, warnings, and alerts to monitor,” says Georgia Weidman, Founder and CTO at Bulb Security LLC.
“For large acquisitions, often a variety of equipment is acquired which means a given program has very complex compliance requirements. Additionally, for smaller purchases made by credit card or micro-purchase programs, the purchaser may not be aware of the security considerations. So it is a very complex problem that affects large and small acquisition programs,” Weidman explains.
The source of these problems could also derive from the fact that companies and governments are buying devices under the assumption that if the hardware and devices are being sold, then they must have been thoroughly tested for security, Rebecca Herold, The Privacy Professor CEO tells Electronics Point.
“Of course, this is a faulty assumption that is generally not true.”
Herold says that often hardware purchases are made using requirements that are not based on cybersecurity, but more on price, estimated longevity of the equipment, support and maintenance promises, and availability in all regions or locations where the equipment will be used. Another influence are the deals the sales representatives are making and the types of relationships between the buyers and the vendors.
“I’ve rarely seen the IT hardware acquisitions area included rigorous requirements for security validations, much less any check on security at all. Usually addressing cybersecurity of hardware is something that is done after the purchase has been made”, Herold says.
“It is something that CISOs have to deal with all the time… trying to secure inherently insecure equipment after some other business or operations unit has already made the purchase.”
However, the fact that DoD agencies have repeatedly ignored previous cyber-security alerts in the past makes the issue an urgent one, especially at a time where the Chinese trade war is at historical peaks, and the US is still heavily reliant on Chinese hardware.
Herold mentions the April 2018 “Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology” report as an example as to how China has been dominating the other south-east Asia countries with regard to providing mission-critical components to 7 huge US-based tech companies.
“Considering the capabilities possible, that can be engineered into these components to surreptitiously send back to China the IP collected from the associated networks and attached hardware where those components are located, it really does seem like the military should be highly motivated to rigorously test the security of all their hardware before implementing it within their digital environments and networks,” Herold warns.
This, however, did not seem to be the case. The recent Pentagon report shows that, despite recent US government warnings, Lexmark printers, for example, were still certified for use and available for purchase through the Navy Marine Corps Intranet COTS Catalog in February 2019.
These errors would be due to the fact that the DoD failed to establish an official team to develop a strategy for managing cybersecurity risks and compiling a list of approved products that staffers could consult before purchasing.
According to the report, the DoD tried to do this in the past with the Office of the Under Secretary of Defense for Research and Engineering Joint Federated Assurance Center. Unfortunately, the DoD would have failed to grant it operational capability, meaning giving the agency any actual decisional power.
“In serious societies and especially in governments, any device destined to be used for working purposes should go through a proper IT department,” Quatrini says.
“There, security experts must carefully scrutinise the devices, both in terms of software installed, as well as their generic configuration. If the US DoD had actually analysed these devices in the first place, there’s no way they would have passed the checks.”
According to subject experts, insecure electrically-powered devices can pose a risk to economic and national security in military hands. Image courtesy of Pixabay.
When it comes to risks, theoretical considerations open up a wide spectrum of possibilities, based on not knowing specifically what these devices are actually doing, Herold clarifies.
“However, if the military is using such devices within their networks, and in the field, at a high level it creates the possibility of significantly heightened risks to not only US national security, but also economic security.”
When it comes to this, Harold explains, we should be asking ourselves questions such as what are these devices sending to economic competitors in other countries? What military secrets are these devices sending to other countries that may be providing weapons and computing devices to countries with whom the US is actively engaged militarily?
“Bottom line, ignorance of such vulnerabilities in the devices the US military is using is not bliss; the lack of full awareness and transparency into the actions and subversive data sharing/leaking/stealing of the devices in the military’s digital environment could lead to catastrophic events.”
Harold says US government leaders and intelligence agencies often seem to be consumed by efforts to compel backdoors in security tools, such as encryption, in the name of security, While at the same time ignoring more significant threats that using these vulnerable devices presents to the US.
“It’s like requiring everyone’s house to use five different types of locks on the front door, while not caring that the back yard gate, back doors, and all the windows in the house, are left wide open. Short-sighted consideration of security risks leads to wide-ranging exploitations of those risks to the detriment of entire nation-state populations.”
A Possible Solution?
Following right after the publication of the Pentagon’s report, two US senators have introduced a bipartisan bill named the Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property and Supply (MICROCHIPS) Act.
This should spur the US government to pass a law for the creation of a state agency in charge of testing hardware and software ultimately going into the supply chain of the US military and other federal agencies.
“The current US military standards need to be updated to reflect the evolving threat landscape that currently is changing as a result of new tech, which seems by all published accounts, too often buggy from a security perspective, and not patched or fixed adequately by the IT providers who are all trying to release their devices as soon as possible for economic competitive advantage,” Herold explains.
“More rigorous security testing is needed on devices before they are released into production.”
All US organizations should also cease accepting the increasingly common practice of IT companies making buggy devices available, and then fixing found vulnerabilities within them after the fact, she adds.
“We need to stop playing security-whack-a-mole with the tech we are using not only in the military and government, but also in all other types of organizations. If large tech companies would truly realize the value of more rigorous security and privacy, testing of their tech before making it available, and seeing that is would be a competitive differentiator—imagine all the IP that would not be stolen, the military secrets that would stay secret, and the breaches that could be prevented.”
On the other hand, Steinberg notices how, more than introducing new regulations and standards, existing ones should be enforced more efficiently.
“If the DoD has policies against using a particular device, employees should not be able to purchase such devices and connect them to DoD networks—regardless of the purchase price,” he explains.
“Those devices should obviously also not appear in any internal COTS catalogues, and the risks of using such devices should be communicated clearly to everyone working within the DoD. Once such communication has been sufficiently delivered, there should be consequences put in place for ignoring such directives.”