A Naked Security story reports that Checkpoint analyzed Android devices owned by two large companies, and found malware infections in 36 of them. The users hadn't downloaded the malware - they arrived with the devices, meaning that they were installed somewhere along the supply chain.
The malware in the phones ranged from adware that displayed illegitimate commercials to information stealers. There was even a mobile ransomware instance lurking on some of the phones. In this case, attackers installed malware on device ROMs using system privileges, meaning that the user couldn't get rid of it.
So you might not want to look at that box with utter glee that your new phone is here. It may have come with "a little something extra."
A device goes through multiple stages at the factory before shipping to logistics companies that may hand it off to yet more logistics firms multiple times. Eventually, it will hit the local sales channel, where there are also many opportunities for bad guys to get their hands on it.
There have been cases of supply chain compromise in other devices, too, with malware turning up in something as innocuous as a digital picture frame. In an Internet of Things world, looking innocuous isn't worth a tinker's dam.
Perhaps the most insidious supply chain compromise yet is the one carried out by the US government. Glenn Greenwald's book No Place To Hide revealed how the NSA systematically intercepts the delivery of computer network devices and redirects them to a secret Tailored Access Operations location. Its operatives install "beacon implants" before repackaging them and sending them on their way. This then gives the organization direct access to "hard target" networks around the world.
The outrage felt by Cisco about the NSA's campaign impelled it to begin shipping boxes to vacant addresses for its more sensitive customers, making it more difficult for government agents to identify shipments destined for interesting targets.
There are best practices to help minimize the risk of compromise. Only buy from top-name vendors. Check to see what encryption standard the vendor is using and see if there's a known weakness. Use multiple encryption technologies rather than relying on the manufacturer's chosen one. Segment assets that hold data from each other, so that if one device or network segment is compromised, companies can't move laterally through the organization.
Another more controversial measure might be to look at the product's own technology ecosystem and conduct a risk analysis. Android phones are the ones getting compromised at the factory because it's an open source operating system and manufacturers have a great deal of latitude in terms of how they configure it.
So what's in that box? You can never be sure . . .
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology