Comprehensive Traceability for Android Supply-Chain Security - Trend Micro

What is merchandise traceability?

Product supply-chain traceability is simply a precise important facet successful manufacturing arsenic it contributes straight to merchandise safety, quality, and, arsenic an emerging trend, merchandise sustainability and ethics.

In presumption of safety, automotive manufacturers consistently denote merchandise recalls to support their customers from nonaccomplishment of faulty parts, arsenic good arsenic to support themselves by being compliant and avoiding litigation. In a caller example, Rivian, an electrical car company, precocious issued a callback of each its vehicles owed to a escaped fastener for its steering. 

Brand estimation is besides a large operator for merchandise traceability. For example, luxury jewelers marque definite the diamonds they merchantability person a Kimberley Process Certificate to guarantee that these are not humor diamonds (diamonds that are mined by exploiting workers and the environment). 

In the bundle industry, however, traceability is inactive presently a anemic point. For example, the Log4j vulnerability became a sticky contented for cybersecurity teams arsenic the large situation it presented them with was not to hole and spot the vulnerability, but alternatively to place which bundle successful their situation was utilizing Log4j successful the archetypal place. This is the crushed that the thought of having a bundle measure of materials (SBOM) is gaining traction — truthful that the full manufacture tin physique traceability connected bundle products.

Traceability successful the Android ecosystem is an adjacent bigger situation owed to its unfastened architecture, arsenic Android is designed to tally connected a wide scope of mobile devices and vendors are allowed to make their ain variants of the operating system. Most smartphone brands besides bash not person in-house expertise to nutrient each indispensable components, specified arsenic the hardware, firmware, apps, and infrastructure for strategy updates, truthful galore Android smartphone devices are conscionable rebranded from OEMs. Because of this, galore Android brands bash not person the slightest thought what went into the merchandise they are selling and person been caught unaware erstwhile unwanted apps and information issues affected their products.

The occupation with the Android bundle proviso chain

Suppose that ACME telco (a fictitious company) wants to bundle a inexpensive smartphone into their subscription plans successful bid to propulsion a caller 5G information program to the market. As ACME telco is not a smartphone manufacturer, ACME volition outsource improvement and manufacturing of the instrumentality to an OEM vendor. All ACME needs to bash is supply the expected spec, people price, and branding. This process is often referred to arsenic “white labeling,” with the sanction coming from the information that the OEM takes implicit work for producing the instrumentality and simply leaves the marque statement “white,” to beryllium filled successful by its customer.

Such convenience and outgo cutting bash not travel without risks. The OEM volition of people effort to usage the cheapest components that conscionable the specifications. And since smartphones don’t conscionable tally connected hardware alone, firmware and customized apps successful the instrumentality besides person associated costs, which the OEM volition cost-optimize arsenic well. Firmware developers supplying the OEM mightiness hold to supply the bundle astatine a little outgo due to the fact that they tin compensate the mislaid nett done questionable means, for illustration by discreetly pre-installing apps from different app developers for a fee. There is simply a full marketplace built astir this bundling work with prices ranging from 1 to 10 Chinese yuan (approximately US$0.14 to US$1.37 arsenic of this writing) per exertion per device. This is wherever the hazard is: As agelong arsenic the firmware, packaged apps, and update mechanisms of the instrumentality are not owned, controlled, oregon audited by the smartphone marque itself, a rogue supplier tin fell unauthorized codification therein.

Furthermore, the malicious oregon unwanted codification does not needfully request to beryllium afloat installed during manufacturing. As smartphones are internet-connected anyway, the firmware and app update mechanisms of the instrumentality tin beryllium leveraged by rogue suppliers to instal the malicious oregon unwanted codification later, erstwhile the instrumentality is successful existent use.   

If the OEM lacks supplier visibility, constituent tracking, and integrity checks, this makes it hard to way the rogue supplier liable for the unauthorized codification and find erstwhile the codification was bundled into the product. The maltreatment of the firmware and app update mechanisms besides means that the groups down the cognition tin beryllium selective successful deploying immoderate unauthorized app oregon codification they privation to inject into the instrumentality astatine immoderate clip they choose, which makes diagnostics, incidental response, and forensics overmuch much complicated.

Why is Android supply-chain information important?

Gone are the days erstwhile a smartphone is conscionable a telephone with a camera that you tin usage to play games, perceive to music, and ticker movies. A modern smartphone is astir ever connected to the net (thanks to mobile information plans getting cheaper and cheaper) and runs productivity and endeavor apps truthful you tin bash existent enactment connected it. 

Furthermore, smartphones person a mobile fig that is past tied to online identities, either arsenic portion of two-factor authentication (2FA) oregon for checking the validity of an account. Aside from SMS-based 2FA, authentication apps utilized successful firm authentication systems are besides done utilizing smartphones apps.

What should we do?

As Android telephone users, if the smartphone is truthful important to our day-to-day tasks, shouldn’t we beryllium much alert of the provenance of the components and bundle moving successful our smartphones?

Second, shouldn’t smartphone vendors workout greater owed diligence successful sourcing their devices, woody lone with vetted OEMs, and necessitate merchandise traceability and an SBOM?

Third, arsenic infosec professionals, shouldn’t we reappraisal and vet which marque and models are acceptable earlier allowing endeavor and authentication apps to beryllium installed connected them?

These are the questions that we request to inquire ourselves arsenic determination is presently nary circumstantial line oregon certification assemblage to ascertain the integrity of Android smartphones and their firmware. We request to use assorted levels of vendor and instrumentality accreditation depending connected hazard appetite to marque definite that each devices are purchased from reputable brands who unafraid their proviso chains and vet their suppliers.

Government bodies tin besides assistance promote manufacturers and retailers by creating schemes that item products that are compliant to unafraid manufacturing and improvement practices.  For example, Singapore and Finland person a Cybersecurity Labeling Scheme that offers a simplified overview of a product’s cybersecurity resilience done a four-level standing that involves checks connected basal security, developer’s declaration of conformance, third-party assessment, and penetration testing. While the existent implementation lone covers internet-of-things (IoT) devices specified arsenic routers and IP cameras, a akin strategy tin beryllium extended to screen smartphones.

As of today, rogue suppliers tin stay hidden and proceed their unethical concern practices due to the fact that determination is nary visibility implicit these. And due to the fact that determination is nary visibility, accountability is hard to enforce. Increasing visibility done merchandise traceability, an SBOM, and adjacent government-supported appraisal schemes volition efficaciously constrictive the model of accidental for these rogue suppliers to hide.

From Fyodor Yarochkin, Vladimir Kropotov, Zhengyu Dong, Paul Pajares, and Ryan Flores