SANS ISC: Digital Hitchhikers Part Four

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

If you recall, we started this thread on Christmas day with a short story about an infected digital photo frame purchased at a Sam's Club.  We were contacted by the Wal-Mart's security team (Sam's Club is owned by Wal-Mart) a few days later.  They were aware of the problem as a result of reading our diary but could not replicate it with any frames they tested.  We also contacted the distributer of the frames (Advanced Design Systems) and they could not duplicate the problem either.   Since that original story we published an update on January 4th asking if anybody had seen similar problems with any device recently purchased that used a USB connection to communicate with a host computer.  That led to a second update on January 7th that contained more details about other devices that were infected.  Since then, more devices have been reported to the Internet Storm Center as being infected with malware and there have been a few media reports.

Of interest is a report this past week saying that Best Buy pulled thousands of digital photo frames from their shelves based on the presence of malware.  The supplier of the frames, Insignia, posted the technical information on their web site.  One of our readers observed that the photo frames purchased at Sam's Club have remote controls remarkably similar to the ones sold at Best Buy.  Check it out yourself:

Best Buy's frame and remote, distributed by Insignia.

Sam's Club's remote, distributed by Advanced Design Systems

The remotes are not exactly the same but the similarities are striking.  This led our reader to ponder whether there are more commonalities in these devices.  He suggested that looking at the two motherboards might offer clues.  So if anybody has both the ADS and the Insignia frames in their possession and don't mind cracking them open...

Here is what we know so far:

• Five digital photo frames from Advanced Design System were bought at various Sam's Clubs containing malware.
• Best Buy pulled from the shelves several thousand digital photo frames from Insignia that contained malware.
• Our readers reported more malware found on other devices such as
  • a set of MP3 playing sunglasses (store where sold is not known)
  • a 250GB Maxtor External One Touch Backup from Radio Shack
  • a "Flip Video Camera" from a California Costco
  • a MemoryVue 1040 Plus digital photo frame from Digital Spectrum Incorporated that was purchased at a Canadian Costco
  • an 8-inch Castleton digital photo frame from Uniek that was purchased at a Target
  • a Maxtor One Touch 250GB external hard drive purchased at Fry's Electronics

We do not think that these situations are related but they do paint a picture of a new attack vector, the supply chain.  By the supply chain, we mean this process:

Factory -> Shipping -> Distributer -> Shipping -> Warehouse -> Shipping -> Retail Store -> Customer

Several readers have submitted ideas about how these devices got infected:

• The user's computer was already infected but the user did not know it
• The device was infected by a customer then returned to the store where it was repackaged and resold
• A store employee infected the device as a prank
• A customer infected the device as a prank
• The retail store is not "clean" but checked returned electronics items with an infected computer, thus spreading malware from one returned product to another
• The distributer or the warehouse infected the device
• One or more of the shipping companies infected the device
• It was infected at the factory

Whatever the cause, there seems to be some sort of breakdown in the security of the supply chain.  It's easy for retailers to blame the consumers but when the same malware shows up on products purchased at retail stores hundreds of miles apart by different customers it raises serious questions about the true source of the malware.

A final thought.  Many readers are aware of the penetration tests done about two years ago with USB memory sticks that were sprinkled around a victim site to see if employees would bring them in then plug them into corporate computers.  Knowing what you know now about this attack vector, how many digital photo frames are floating around your office that have already been plugged into your corporate computers?

More information about disabling the Autoplay function of Microsoft Windows is available at Microsoft's Technet site.

Marcus H. Sachs
Director, SANS Internet Storm Center