At FortiGuard, we take our duty to protect our customers from threats, malware, zero-day exploits and other forms of cyberattacks very seriously. Our customers can sleep well knowing that 24 hours a day we are always on guard and stationed on the front lines keeping their networks safe and secure.
The new Open Trusted Technology Provider Standard (O-TTPS) will help in protecting our customers. As stated in their publication: "The O-TTPS is an open standard containing a set of organizational guidelines, requirements, and recommendations for integrators, providers, and component suppliers to enhance the security of the global supply chain..."
Once this standard has been fully implemented by hardware manufacturers, customers of all colors (organizations, businesses, governments and end users) should be safe from malware being hidden inside IT products and devices before they ever hit the store shelves.
Adoption of O-TTPS should help prevent malware like Nitol, which was found being inserted into PC's on the production line as reported by the BBC. Nitol is capable of a lot of nasty activities - which in turn made it easy to spot. Other pieces of malware may not be so overt.
Imagine if a small piece of code embedded into a software package made its way onto a PC at the factory. It does nothing other than check for an active connection to the Internet. If no connection is found, it 'sleeps' and checks again another day. It wouldn't take much effort for cybercriminals to recruit an unscrupulous worker at the factory to insert this code into the production line; likely it would be unnoticed. Once the PC makes its way from the factory floor to the store shelf and then to the home, the code will 'wake up', detect an Internet connection, and then download other components or malware, likely without detection.
Adoption of the O-TTPS standard by hardware manufacturers should help mitigate scenarios like this altogether going forward.
Raul Alvarez is a Senior Security Researcher with FortiGuard Labs. Raul is a regular contributor to the antimalware industry publication Virus Bulletin.
Additional content from Richard Henderson.