Fake Intel Chips and Energizer Bunny Trojans: What's going on?

Issues illustrate the need for tighter cyber supply chain assurance

Two stories caught my eye yesterday.

First, a company named Newegg shipped counterfeit Intel i7 chips to customers where customers received a clay mold and piece of scrap metal rather than a real processor. Intel and others are investigating this situation.

In another story, the Energizer Duo Charger, a laptop battery charger kit made of up hardware and software, was found to contain a Trojan Hourse program in its optional battery charge monitoring software (note: the Trojan impacts Windows but not Macintosh computers). When activated, the Trojan, which opens port 7777, can install files, read directories, or communicate with remote hackers. Energizer is cooperating with US-CERT to try and figure out how the code got into its product.

How are these stories related? Both describe an issue that gets little attention, cyber supply chain assurance.

The cyber supply chain is made up of a network of suppliers, distributors, business partners, and customers who share cyber business processes, develop technology, and distribute products. Since the cyber supply chain composes a vast network of companies, one weak organization or bad apple can compromise products and thus create vulnerabilities for all downstream parties.

With the Intel case, it appears like someone corrupted the distribution chain. With Energizer, it seems like a rogue developer or software tester was introduced into the development cycle.

So here's the problem. In general, we trust that the products we purchase are safe. Bad assumption as the Intel and Energizer example points out. This also holds true for technology vendors themselves who ultimately integrate a bunch of microprocessors, specialized chips, and software code together. Could any of these components be tainted? Absolutely.

Here's a scary statistic. In a recent study, the U.S. Department of Defense found that only 2% of all the microprocessors and integrated circuits purchased are actually manufactured in the United States. This gives foreign adversaries ample opportunity to tamper with critical systems in a way that is extremely hard to detect.

Technology is developed by distributed groups of engineers and outsourced firms across the globe. Final assembly is often done offshore. Distributors install software on systems and then re-package them. Testing software security is often weak or ignored.

The Intel and Energizer examples prove that trusted vendor products can be tampered with in the supply chain. We need to address this with the right knowledge, processes, and countermeasures. Continuing to ignore it will lead to more and more Intel- and Energizer-like events.

• DHS
• DOD
• Intel