Is Your Iron Spying on You?

While inspecting shipments from China, Russian customs agents found something odd. Inside several of the kettles and irons they found WiFi chips and microprocessors. If the devices were plugged in, the chips would search for unsecured WiFi networks up to 650 feet away, then “call home” to grant access to cybercriminals.

While the unusual form of cybercrime took researchers by surprise, it was only the latest in an emerging threat of hacked electronics coming straight from the Chinese factories.

There is a long list of devices riddled with backdoors, infected with malware, or fitted with spying devices before leaving Chinese factories. These range from kettles to laptops, from USB keys to cameras, and from consumer software right up to military components.

In June 2011, Hong Kong newspaper Apple Daily uncovered recording devices installed in all dual-plate Chinese-Hong Kong vehicles. They were labeled as “inspection and quarantine cards,” and were installed free of charge by China’s Shenzhen Inspection and Quarantine Bureau.

In June 2010, an auto-run virus in China-made memory cards in Olympus Stylus Tough cameras was infecting computers in Japan. The virus was uncovered just a week after an identical virus was in the memory cards of Samsung smartphones. Prior to that were viruses in devices including China-made TomTom GPS systems, and Insignia digital picture frames sold at major outlets, including Best Buy, Target, and Sam’s Club.

While the recently discovered chips in kettles and irons were among the more bizarre cases, they were also among the least sophisticated. They only targeted WiFi networks not protected with passwords. In Russia, where the devices were found, this would have been a threat. In the United States, where most networks are protected, it wouldn’t be much of a threat.

Yet, the concern is less about the chips themselves, and instead what they could mean for the future of cyberthreats.

“This is a generation beyond what we’ve seen before,” said Chester Wisniewski, senior security advisor at cybersecurity company Sophos, regarding the spy kettles and irons.

Wisniewski said the chips were not very concerning, yet with a bit of work they could be. They could easily be programmed to bypass password protected networks, and being both small and inexpensive, the recent discovery could very well be only the tip of the iceberg.

“Who’s to say these things couldn’t be put into any device on anybody’s home network,” he said. “They could be in anything you plug in. Anything that gets power, this kind of thing can be hidden inside it.”

A Hidden Threat

Greg Schaffer stood before congress on July 8, 2011. At the time, Schaffer worked in the cybersecurity office of the Department of Homeland Security. He was asked whether there are risks of having electronics built overseas.

Schaffer tried avoiding the question. Yet when he was pressed to give a clear answer, Schaffer gave a short, yet grim response.

Schaffer said he knew of cases where foreign-made devices had been pre-installed with infected software or hardware, noting “We believe there is significant risk in the area of supply chain.”

“This is one of the most complicated and difficult challenges that we have,” he said.

Schaffer’s on-record admission to the problem was one of few. Yet, the problem of spying electronics coming out of China, in particular, is frequent and ongoing.

Some of the most common vulnerabilities are “backdoors” left in products. These can resemble programming errors left by the creators—the nature of which makes it difficult to prove whether the backdoors are intentional or unintentional.

Backdoors in Chinese routers are frequently exposed by security researcher and former NSA employee Craig Heffner. Within the last month, Heffner uncovered several backdoors in routers from Chinese manufacturer Tenda, which sells Medialink routers, as well as routers from D-Link. D-Link is headquartered in Taiwan, but its routers are manufactured in Mainland China.

Heffner told We Live Security, the blog of cybersecurity company ESET, that a Nov. 10 backdoor in D-Link routers appears to have been left deliberately.

“You can access the Web interface without any authentication and view/change the device settings,” Heffner said, noting that the access code for the backdoor was found on a Russian cybercrime forum.

Huawei

The most controversial routers come from Chinese telecom companies ZTE and Huawei. The House Intelligence Committee released a report in October 2012 warning American businesses to avoid the two companies due to security risks. Similar warnings against Huawei, in particular, have been upheld by governments around the world, including in Taiwan and Australia.

“China is known to be the major perpetrator of cyber espionage, and Huawei and ZTE failed to alleviate serious concerns throughout this important investigation,” said Mike Rogers, chairman of the House Intelligence Committee, in a press release. “American businesses should use other vendors.”

Huawei has launched a public relations campaign to fire back, yet independent research has only justified concerns. Just prior to the report from the House Intelligence Committee, in July 2012, security researchers at hacker conference Defcon uncovered critical, and extremely basic, vulnerabilities in Huawei routers.

“This stuff is distrusting,” Dan Kaminsky, a well-known security researcher, told International Data Group News Service. “If I were to teach someone from scratch how to write binary exploits, these routers would be what I'd demonstrate on.”

They also noted that, going with Huawei’s infamous lack of transparency, it had no security contact for reporting vulnerabilities.

According to Wisniewski, however, the nature of the threats—and of cybersecurity, in general—makes it difficult to prove guilt.

“The problem is there’s a scarcity of truth, and there is unlimited room for speculation,” Wisniewski said. “Only the person who wrote the code knows.”