Some viruses come pre-installed

From iPods to navigation systems, some of today's hottest gadgets are landing on store shelves with some unwanted extras from the factory - pre-installed viruses that steal passwords, open doors for hackers and make computers spew spam.

Computer users have been warned for years about virus threats from downloading internet porn and opening suspicious e-mail attachments.  Now they run the risk of picking up a digital infection just by plugging a new gizmo into their PCs.

Recent cases reviewed by The Associated Press include some of the most widely used tech devices: iPods, TomTom navigation gear, and digital picture frames sold at Target and Best Buy.

In most cases, Chinese factories - where many companies have turned to keep prices low - are the source.

So far, the virus problem appears to come from lax quality control rather then organized sabotage by hackers or the Chinese factories.  It's the digital equivalent of the recent series of tainted products traced to China, including toxic toothpaste, poisonous pet food and toy trains coated in lead paint.

If a virus were introduced at an earlier stage of production by a corrupt employee or hacker, when the software is uploaded to the device,the problems could be far more serious and widespread then they are now.

Knowing how many devices have been sold or tracking the devices with any precision is impossible because of the secrecy kept by electronics makers and the companies they hire to build their products.  But given the nature of mass manufacturing, the numbers could be huge.

"It's like the cockroach thing - you flip the lights on and they run away," says Marcus Sachs, a former White House cybersecurity official.  She now runs the SANS Internet Storm Center.  "You think you've got just one cockroach?  There's probably thousands more that you can't se!"

Jerry Askew, a Los Angeles computer consultant, bought a Uniek digital picture frame to surprise his 81-year-old mother for her birthday.  but when he added family photos, it tried to unload a few surprises of it's own.  When he plugged the frame into his Windows PC, his antivirus program alerted him to a threat.  The $50 frame, built in China and bought at Target, was infested with four viruses, including one that steals passwords.   "You expect quality control from the manufacturers," says Askew, 42.  "You don't expect a virus!"

Security experts say the malicious software is apparently being loaded at the final stage of productions, when gadgets are pulled from the assembly line and plugged into a computer to make sure they function properly.  If the testing computer is infected, the digital germ can spread to anything else that gets plugged in, in some instances.

The recent infections may be accidental, but security experts say they point out an avenue of attack that could be exploited by hackers.  "We'll probably see a steady increase over time," says Zulfikar Ramzan, a computer security researcher at Symantec.  "The hackers are still in a testing period; they're trying to figure out if it's really worth it."

In one case, digital frames sold at Sams' Club contained a previously unknown virus that steals gaming passwords and disables antivirus software, according to researchers at CA Inc.  One IT worker wrote to the SANS security group that his new digital picture frame delivered "the nastiest virus that I've ever encountered in my 20-plus IT career."  Another complained his new external hard drive malfunctioned becasue it came loaded with a password-stealing virus.

Monitoring suppliers in China and elsewhere is expensive, and cuts into the low cost that made U.S. and other developed countries want to use outsourcing in the first place.  But it's what the companies must do if they want to prevent poisoning on the assembly line, said Yossi Sheffi, a professor at the Massachusetts Institute of Technology who specializes in supply chain management.

While manufacturing breakdown doesn't happen often, they have become frequent enough - especially amid intense competition among Chinese suppliers - to warrant more scrutiny by the companies that rely on them, Sheff said.

"Most of the time it works," he said.  "The Chinese suppliers have every reason to be good suppliers because they're in it for the long run.  But it's a higher risk, of which we've now seen the results."

The Associated Press contacted some of the world's largest electronics manufactures for details on they guard against infections - among them Hon Hai Precisions Industry Co., which is based in Taiwan and has an iPod factory in China; Singapore-based Flextronics International Ltd.; and Taiwan-based Quanta Computer Inc. and Asustek Computer Inc.  All declined comment or did not respond.

The companies whose products were infected in cases reviewed by AP refused to reveal details about the incidents.  Of those that confirmed factory infections, all said they had corrected the problems and taken steps to prevent recurrences.  Apple disclosed the most information, saying the virus that infected a small number of video iPods in 2006 came from a PC used to test compatibility with the device's software.

Best Buy, the biggest consumer electronics outlet in the U.S., said it pulled it's affected China-made frames from the shelves and took :corrective action" against it's vendor.  Sam's Club and Target say they are investigating complaints but have not been able to verify their frames were contaminated.

Associated Press, 3/13/2008

Subscribe to my blog