How confident are you in your networking equipment vendor? What about in the other suppliers whose software and hardware your vendor uses? Two incidents this week highlight the need for caution when dealing with your digital supply chain.
The first involves connected device vendor D-Link, which the FTC had taken to court over misleading customers about its poor cybersecurity practices. According to the Commission’s 2017 complaint, D-Link did not include basic security measures in its routers and IP cameras. It didn’t test its software properly, and it hard-coded user credentials into its systems. It exposed the private key it used to sign its own software on a public website for six months, and it stored access credentials in clear text on users’ smart phones.
Under the proposed settlement, D-Link must create a 20-year security program under which it conducts threat modelling on its devices and documents any risks to their data security. The order demands that it conduct pre-release code reviews and vulnerability tests on its software.
D-Link must also create a process for accepting vulnerability reports from security researchers, and maintain a database of code shared between its devices, making it easier to fix vulnerabilities across different products. It must also issue automatic firmware updates to devices that can accept them, the settlement says.
Will D-Link do the minimum that it can to comply, or will it follow the spirit of the settlement and truly bolster its security? Who knows? Will the FTC check? Probably not, unless another D-Link cybersecurity SNAFU emerges. It’s up to business customers to demand that these things happen and then check that they do. Unfortunately, few of them have enough clout. The alternative, for both consumers and smaller businesses alike, is to vote with their wallets and buy elsewhere.
Let’s not forget that if you audit a vendor, it makes sense to demand that they do the same for their own suppliers. When you use a technology product, you’re also using a mishmash of third-party software and hardware that the vendor relies upon.
This brings us to the case of Cisco, which released an advisory this week, affecting its Cisco Small Business 250 Series Switches.
German cybersecurity company SEC Technologies used its IoT Inspector software to scan the Cisco switches and found a private digital key, along with certificates registered to gary.wu1(at)huawei.com. The key came from Futurewei Technologies, Huawei’s US-based research arm.
This might alarm some customers. Since May, Huawei has been on the US Entity List, which bans US firms from selling to it, following many allegations of industrial espionage. It is still on that list at the time of writing, despite a promise from the White House to lift the ban.
Cisco quickly moved to quash user concerns. The key was part of OpenDaylight, an open source package used for testing, and its developers had left them there by mistake, it said. The firmware didn’t use the keys, it added, and it has now removed them in the latest versions. Phew.
Still, this highlights the need to confirm that your suppliers monitor the software they use in their equipment and understand how they have configured and used it.
Quoting SEC Technologies: “As a vendor who builds software in-house, even more so if you are cooperating with third parties, you want to know exactly what ends up in a firmware before you ship it to your customers.”