From the original report, linked to by this article:
> A Chinese manufacturer (possibly many manufacturers) builds a wide variety of Android-based devices, including phones, tablets, and CTV boxes. At some point between the manufacturing of these products and their delivery to resellers, physical retail stores and e-commerce warehouses, a firmware backdoor— based on Triada malware—gets installed and the product boxes are sealed in plastic, priming these devices for fraud on arrival at their destination.
Isn't it OK to name that manufacturer and affected brands?
US brands deal all the time with dilution due to counterfeits made in sketchy factories.
Why protect the manufacturer/brands in this one case? Especially when there's a particularly problematic supply chain problem involving the manufacturer, and to which they might be especially vulnerable (if not complicit or even the perpetrator)?
In addition to the obvious reason of providing negative feedback to parties involved and in a position to improve, the last sentence of the article demonstrates how not naming them hurts legitimate but lesser-known/upstart brands who are not involved and who don't deserve the negative feedback:
> recommending that users choose familiar brands when purchasing new products.
> A Chinese manufacturer (possibly many manufacturers) builds a wide variety of Android-based devices, including phones, tablets, and CTV boxes. At some point between the manufacturing of these products and their delivery to resellers, physical retail stores and e-commerce warehouses, a firmware backdoor— based on Triada malware—gets installed and the product boxes are sealed in plastic, priming these devices for fraud on arrival at their destination.
It is probably not the case in this instance, but the NSA TAO does this for a living.
> Isn't it OK to name that manufacturer and affected brands?
Because it doesn't matter. It costs 0.01USD to change the name of the manufacturer and brand tag, or even to no-name at all. The entire factory line and staff can be renamed/reallocated by the customer's wish.
It matters a lot. Like this, the article contributes zero actionable information. Knowing the brand can at least make device owners aware that they should consider switching.
Also, the article might just as well avoid mentioning that the brand is Chinese. Like this, this article can be dismissed as slander against Chinese brands in general.
> Because it doesn't matter. It costs 0.01USD to change the name of the manufacturer and brand tag, or even to no-name at all.
I disagree, it does matter. It might not be a silver bullet that prevents this problem from ever happening again, but it helps the public stay away from devices that are already in the market and provides the necessary information to track and avoid manufacturers.
> It costs 0.01USD to change the name of the manufacturer and brand tag, or even to no-name at all.
It's still the same device. You can identify it by looking at it. It might not prevent further abuses, but it helps counter the ones already in place.
There is zero reasons to not name the manufacturer.
So force them to rename. The article acts as slander against long term Chinese companies that haven't renamed themselves and probably do as much or as little as the fake Western Brands to secure boot.
The Non-US company will just keep shipping under a different brand name. It’s akin to playing wack a mole.
Any US Companies targeting the US education system as clients comes with insane markup (anything iPad). The US based companies are still going to data collect (see chromebooks) the schools are so underfunded, their only choice is to use cheap Non-US knock offs.
Idk, I used to work IT in schools and in NYS, funding is distributed to schools based on their poverty levels. So that wasn't the case, we were buying chromebooks from reputable vendors and brands. Most all use Dell for regular laptops and desktops.
Microsoft charges next to nothing, and even subsidizes hardware, for edu MDM'd devices. Basic services are more expensive than enterprise, but not by much.
The second you want any educational specific SKUs, though, holy shit.
I think Microsoft, Github and many other companies also provide many free/subsidized services to those who can prove they're students, that includes even web hosting on AWS or digital ocean IIRC. Even leaving those aside, there are also plenty of open source options (such as LibreOffice) for those "services" and software that kids find useful.
> recommending that users choose familiar brands when purchasing new products.
Good luck with that. I have a friend that only buys no-name AliExpress specials, boasts about how cheap they are, and then bitches to me about all the problems he has with them.
That said, they do make a lot of interesting boards over there, for various purposes. There are a lot of interesting NUC variants, NAS motherboards and Pi-like cards.
Any good way to detect if their firmware has been backdoored once you got one in your hands?
> That said, they do make a lot of interesting boards over there, for various purposes. There are a lot of interesting NUC variants, NAS motherboards and Pi-like cards.
This. I recall I bought an Orange Pi Zero 512MB out of AliExpress for about $5. Great deal, but I would definitely not trust it to do anything with private info though.
If you’re concerned just stick in on a VLAN and restrict its access to whatever suits you. I have some crappy home automation stuff I restrict and only allow my devices to communicate with them, no outside access allowed.
If you’re concerned just stick in on a VLAN and restrict its access to whatever suits you. I have some crappy home automation stuff I restrict and only allow my devices to communicate with them, not outside access allowed.
It depends on who you order to, on Amazon. Delivery is reasonably fast (2 to 5 days around here) and the chance of getting a knockoff, whilst higher than it used to be, is still less than 100%. It’s far from perfect, but saying that it’s on par with Wish or AliExpress is not accurate at all. So yes, Amazon is in fact better.
Do a search for "residential proxy" and browse through the results a bit, all claiming to own millions and millions of exits in the entire world. The malware could be from the manufacturer or preinstalled apps since all app developers are contacted to inject various SDKs into their code source in order to act as residential proxy nodes and make profits based on the target's internet. It's on phones, android TVs, routers etc. I wouldn;t be surprised if some of the devices we, as technical users, use are infected - who reads that TOS when updating apps anyway?
And people wonder why Apple goes through the trouble of stopping fakes and not allowing third-party software (malware) on devices. Someone in the distribution chain hacks the device, rootkits it, then returns it to the setup state. The consumer would have 0 idea that their device is sending data back to some chinese company for blackmail/adware/botnet/etc.
I'd love to see a foolproof solution that makes it so that only the (non-tech-savvy) person who actually purchased the device and owns it gets to install third-party software without risking a supply chain attack before it gets in their hands.
You're conflating a whole bunch of issues. iOS enforces the same sandbox on all installed apps, whether they were installed from the App Store, or using a developer or even enterprise distribution certificate. Opening up to competing App Stores, or allowing 'untrusted' sources, doesn't weaken this security posture. You'd still have to grant permissions to said 3rd party apps, and the kind of low level access you're talking about isn't even able to be granted without an exploit. If you have an exploit, then the current requirement to use Xcode to install your exploit code, isn't stopping anyone even today.
Apple's restrictions exist to protect their 30% cut of all software revenue. Any other benevolence you perceive to be there is naive.
Nearly all jailbreaks since iOS ~5~ 9[0] (besides checkm8 for A11 and earlier devices) have been via sideloading an app and running an exploit chain of sandbox escape->kernel exploit->some form of r/w mounting root (amongst other steps). The attack surface for the sandbox is so large it's basically impossible to ensure absolutely nothing bad happens inside it.
After some exploit gets patched is when all the inventory sitting in logistics become at risk of interception and compromise.
App Store has a number of manual and automated checks.
One of which is checking for private API usage which would allow developers to cause all sorts of unchecked havoc.
And because of the way Objective-C apps work i.e. dynamic dispatch you can't statically check for it in the binary when the app is launched. Nor can you realistically check it at runtime since that code path is the hottest there is and needs to be highly optimal.
I suspect that there will be an App Store SDK that third party stores will need to use that incorporates these sort of checks.
Sure, but private methods are another vector - tracking and bypassing the IDFA and potentially acting as official Apple Apps to use/abuse things like Carrier/SIM info[0], updating the wallpaper for the user[1], accessing call history[2], etc.
If you can't statically check for it, how does the app store check for it? Do they just open up the app and poke around with the runtime-private-api-detector enabled?
> Apple's restrictions exist to protect their 30% cut of all software revenue.
They don't need the App Store to do that. Xbox and Playstation have retail stores selling their software and they get a cut all the same because if they refuse to sign your game executable ... it won't run on end user machines.
During boot, display a message: "Bootloader unlocked. Non-Apple-approved software has been installed. Unless you did this, the device may be compromised. To factory-reset the device, do the following.."
There are already phones that notify you of bootloader lock state. In fact, tamper-evident devices are a very old technology. It is only because it is profitable to them, does Apple pretend they don't exist.
Nobody is whining because this message is pure security theater. It can be removed by the very same rootkit that "unlocks" your bootloader. The message would have to be unremovable to be useful and if Apple does that the whining starts.
The issue is really complicated. People demand the right to repair. They also want to be able to buy cheap 3rd party replacement parts instead of paying a premium for Apple's official parts. But then they also don't want to be hit with malware.
Apple puts a lot of effort into having a secure, verified supply chain. That costs money. Unfortunately, the benefits of all that effort are hard for most people to measure. Apple measures it by looking at their overall reputation. They'd rather be known for having expensive products than for faulty or untrustworthy ones.
As a counter-example, consider the Precursor[1] who's CPU is "... an SoC on an FPGA, which means you can compile your CPU from design source and verify for yourself that Precursor contains no hidden instructions or other backdoors."
Device manufacturers could ship firmware as FPGA images, such that end-users can start with a "blank slate" and then install arbitrary firmware upon delivery. They choose not to.
Of course there will always be objections to any change. Everything is a trade-off. But if you wanted a truly secure device, you have to start with idea that every customer gets the same thing - a truly blank slate. It's only recently, and with incredible device density, that this assumption has changed. The fact that manufacturers CAN put extra CPUs and CAN put unique hidden, immutable data in your computer does mean it MUST be so. This is simply the path we've been going down for about the last 20 years or so. It doesn't mean we have to keep going down that path.
I'd also add that computers have multiple CPUs, and an FPGA and an M1, for example, could coexist, with the FPGA serving as the BIOS and firmware repository. I think there are real and frankly chilling reasons why manufacturers will not take this approach, and it's not because of economics. A truly free device is a threat to the establishment.
I was at my assembler and picked up a 30 layer PCB with two $5000 Xilinx FPGAs on it. Military application, really cool. They were t even special or rad hardened for space.
But “it’s FPGA and you can see the code”… ok, fucking lol though. HeartBleed OpenSSL was an issue for how many years and the code was open to a hundred million people who could read it in some language. I know FPGA developers they couldn’t even remotely follow a softcore CPU configuration. You are talking about less than 100,000 people in the world, and even that is probably way generous, maybe 30k?
You've obfuscated a good point. Open-source is a necessary, but not sufficient condition for openness. Actual human beings must also understand the source well enough to audit it and modify it. If heartbleed occurred in closed source, it would still be an active problem. The vendor would be reluctant to even admit the flaw, because it makes them look bad. And the whole world realized that one guy was maintaining OpenSSL, and he was on the edge of poverty. It was a wake-up call. Thousands of devs looked at the code, and understood it well enough to patch and fork.
It's also true that, because of historical accidents, we have several more examples of https://xkcd.com/2347/. However, that's not an argument against open source. It's an argument that we all should take ownership of what we ship, all the way down, without exception. An open CPU definition is a necessary, but not sufficient, requirement for this level of ownership.
>They also want to be able to buy cheap 3rd party replacement parts instead of paying a premium for Apple's official parts. But then they also don't want to be hit with malware.
This is a strawman - people want to be able to buy from Apple's manufacturers at the component level, i.e. they want to be able to buy the $5 charge port instead of being forced to buy the $1300 mainboard the charge-port is soldered onto. Apple deliberately prevents their manufacturers from selling the exact same part to third party repairers, while simultaneously refusing to sell it themselves.
Apple has two satisfactory options here: either stop actively blocking their manufacturers from selling direct, or start selling the components themselves.
> A Chinese manufacturer (possibly many manufacturers) builds a wide variety of Android-based devices, including phones, tablets, and CTV boxes. At some point between the manufacturing of these products and their delivery to resellers, physical retail stores and e-commerce warehouses, a firmware backdoor— based on Triada malware—gets installed and the product boxes are sealed in plastic, priming these devices for fraud on arrival at their destination.
Isn't it OK to name that manufacturer and affected brands?
US brands deal all the time with dilution due to counterfeits made in sketchy factories.
Why protect the manufacturer/brands in this one case? Especially when there's a particularly problematic supply chain problem involving the manufacturer, and to which they might be especially vulnerable (if not complicit or even the perpetrator)?
In addition to the obvious reason of providing negative feedback to parties involved and in a position to improve, the last sentence of the article demonstrates how not naming them hurts legitimate but lesser-known/upstart brands who are not involved and who don't deserve the negative feedback:
> recommending that users choose familiar brands when purchasing new products.