Pre-Infected PCs Expose Flaws In Global Supply Chain

'Along For The Ride': Pre-Infected PCs Expose Flaws In Global Supply Chain
woman and keyboard
woman and keyboard

Experts offer all kinds of advice to protect computers from hackers: Use strong passwords. Keep your software updated. Don’t click on suspicious links or attachments.

But even the most cautious consumers can become victims when cyber-criminals hack their laptops before they even buy them.

On Thursday, researchers at Microsoft said they found PCs and laptops in China that were embedded with malicious software before they had reached consumers. The computer virus could allow a hacker to switch on a microphone or Webcam, record keystrokes and access users’ login credentials and online bank accounts.

Microsoft's findings highlighted what experts say is a cybersecurity flaw without a clear solution. Electronics companies rely on a long, complex supply chain in China for cheap parts and labor, yet experts say China has become a growing source of computer hacking against American companies, government and consumers.

“It’s one of the toughest cybersecurity challenges out there,” said Tom Kellermann, vice president of cybersecurity at Trend Micro. “There’s not really a solution unless you start to only build computers in the USA again.”

In a blog post, Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, said Thursday his company had found retailers who were selling computers loaded with counterfeit versions of Windows software infected with a computer virus called Nitol.

Boscovich said it was "especially disturbing" because the malicious software could have entered the supply chain "at any point."

Consumers can spot dangerous counterfeit technology if the deal “appears too good to be true,” he said. "However, sometimes people just can’t tell, making the exploitation of a broken supply chain an especially dangerous vehicle for infecting people with malware."

This isn't the first time a tech product from China has been suspected of having pre-loaded malicious software. In 2008, numerous federal agencies -- including the Defense Department and the Federal Aviation Administration -- purchased fake Cisco routers, which are widely used to manage Internet traffic.

An FBI investigation found the counterfeit Cisco equipment could be used to "gain access to otherwise secure systems."

Then in May, the Senate Armed Services Committee released a report that cited 1,800 cases of counterfeit electronics, mostly from China, in the Pentagon's supply chain, including fake parts used in the Air Force's largest cargo plane and Special Operations helicopters.

Meanwhile, the House Intelligence Committee has been investigating Huawei Technologies and ZTE over claims the two Chinese telecom firms sell equipment that allows hackers to help the Chinese government spy on American companies.

American officials have raised concerns about Huawei because the company's founder and chief executive, Ren Zhengfei, formerly served in the China’s People’s Liberation Army, creating the appearance of a close relationship between the company and the Chinese government.

“Huawei and ZTE provide a wealth of opportunities for Chinese intelligence agencies to insert malicious hardware or software implants into critical telecommunications components and systems,” committee Chairman Mike Rogers said at a hearing Thursday.

In testimony at the hearing, executives from Huawei Technologies and ZTE both denied the allegations and said they have been unfairly singled out.

While the American government resisted Huawei's efforts to conduct business in the United States, American tech companies have not shied away from relying on Chinese companies for manufacturing.

For many companies, the cost savings of using Chinese labor outweighs any perceived cybersecurity threats posed by China, said Scott Aken, a former FBI special agent who dealt with cyber counterintelligence.

Aken said some companies have trouble determining where every part in their products come from. He said the Department of Homeland Security has been working on securing the global supply chain, but "the scale of the problem has thrown the government through a loop."

A DHS spokesman did not respond to a request for comment.

"Companies are in a competitive dogfight to make products cheaper and hit the market faster," Aken said. "They're not spending time or money to ensure those products they are sourcing from overseas are devoid of counterfeits."

Mark Rasch, director of privacy and security consulting for Computer Sciences Corporation, said electronics contains thousands of parts from hundreds of suppliers. "We don't know the provenance of much of that," he said. "As a result, a lot of it is potentially embedded with vulnerabilities and malicious code."

On Thursday, Boscovich, of Microsoft, said 20 percent of PCs his researchers bought in China in a recent study were infected with a virus before they were taken out of their boxes.

Suppliers, resellers, distributors and retailers need to adopt stricter policies to ensure the computers and software they purchase come from a trustworthy source, he said.

In a video on Boscovich's blog, a narrator warns: "If you don't know where your computer or software comes from, you never know what comes along for the ride."

CORRECTION: This story previously described Microsoft found malware pre-installed onto computers at the factories. Rather, the malware was loaded onto computers after being shipped by the original manufacturer to a distributor, transporter, or reseller.

Before You Go

#9: Pakistan

Top 9 Spamming Countries

Popular in the Community