Print

Mail

wiki links

High-tech gadgets with that little extra: pre-installed viruses

By jordan robertson
AP, SAN JOSE, CALIFORNIA
Sunday, Mar 16, 2008, Page 12

Computer consultant Jerry Askew poses with a digital photo frame at Askew Network Solutions in Granada Hills, California, on Feb. 7. The frame, bought at a Target store, tried to load four Trojan viruses onto his computer. PHOTO: AP

From iPods to navigation systems, some of today's hottest gadgets are landing on store shelves with some unwanted extras from the factory -- pre-installed viruses that steal passwords, open doors for hackers and make computers spew spam.

Computer users have been warned for years about virus threats from downloading Internet porn and opening suspicious e-mail attachments. Now they run the risk of picking up a digital infection just by plugging a new gizmo into their PCs.

Recent cases include some of the most widely used tech devices: Apple iPods, digital picture frames sold by Target and Best Buy stores and TomTom navigation gear.

In most cases, Chinese factories -- where many companies have turned to keep prices low -- are the source.

So far, the virus problem appears to come from lax quality control -- perhaps a careless worker plugging an infected music player into a factory computer used for testing -- rather than organized sabotage by hackers or the Chinese factories.

It's the digital equivalent of the series of tainted products traced to China, including toxic toothpaste, poisonous pet food and toys coated in lead paint.

Yet although sloppiness is the simplest explanation, its is not the only one.

If a virus is introduced at an earlier stage of production, by a hacker when software is uploaded to the gadget, then the problems could be far more serious.

Knowing how many devices have been sold or tracking the viruses is impossible because of the secrecy kept by electronics makers and the companies they hire to build their products.

But given the nature of manufacturing, the numbers could be huge.

"It's like the old cockroach thing -- you flip the lights on in the kitchen and they run away," said Marcus Sachs, a former White House cybersecurity official who now runs the security research group SANS Internet Storm Center. "You think you've got just one cockroach?"

Jerry Askew, a Los Angeles computer consultant, bought a Uniek digital picture frame to surprise his 81-year-old mother for her birthday. But when he added family photos, it tried to unload a few surprises of its own.

When Askew plugged the frame into his PC, his antivirus program alerted him to a threat. The US$50 frame, built in China, had four viruses, including one that steals passwords.

Security experts say the malicious software is apparently being loaded at the final stage of production, when gadgets are pulled from the assembly line and plugged in to a computer to make sure everything works.

If the computer is infected -- say, by a worker who used it to charge his own infected iPod -- the digital germ can spread.

The recent infections may be accidental, but security experts say they point out an avenue of attack that could be exploited.

"We'll probably see a steady increase over time," said Zulfikar Ramzan, a computer security researcher at Symantec Corp. "The hackers are still in a bit of a testing period -- they're trying to figure out if it's really worth it."

Thousands of people whose antivirus software isn't up to date may have been infected by new products without even knowing it, experts warn. And even protective software may not be enough.

In one case, digital frames sold at Sam's Club contained a previously unknown bug that not only steals online gaming passwords but disables antivirus software, security researchers at CA Inc said.

One information-technology worker wrote to the SANS security group that his digital picture frame delivered "the nastiest virus that I've ever encountered in my 20-plus-year IT career."

Monitoring the suppliers in China and elsewhere is expensive and cuts into the savings of outsourcing. But it's what US companies must do to prevent poisoning on the assembly line, said Yossi Sheffi, a professor at the Massachusetts Institute of Technology specializing in supply chain management.

"It's exactly the same thing, whether it happened in cyberspace or software or lead paint or toothpaste or dog food -- they're all quality control issues," Sheffi said.

The AP contacted some of the largest electronics manufacturers for details on how they guard against infections -- among them Taiwan's Hon Hai Precision Industry Co (鴻海精密), Quanta Computer (廣達電腦) Inc and Asustek Computer Inc (華碩電腦), as well as Singapore-based Flextronics International Ltd.

All declined to comment or did not respond.

The companies whose products were infected in cases reviewed by the AP refused to discuss the details of the incidents. Of those that confirmed factory infections, all said that they had corrected the problems and taken steps to prevent any recurrences.

Apple disclosed the most information, saying the virus that infected a small number of video iPods in 2006 came from a PC used to test compatibility with the gadget's software.

Best Buy said it pulled its affected China-made frames from the shelves and took "corrective action" against its vendor. But the company declined requests to provide details.

Sam's Club and Target say they are looking into complaints.

Legal experts say manufacturing infections could become a big headache for retailers.

"The photo situation is really a cautionary tale -- they were just lucky that the virus that got installed happened to be one that didn't do a lot of damage," said Cindy Cohn, of the Electronic Frontier Foundation. "But there's nothing about that situation that means next time the virus won't be a more serious one."
This story has been viewed 815 times.