If you recall, we started this thread on Christmas day with a short story about an infected digital photo frame purchased at a Sam's Club. We were contacted by the Wal-Mart's security team (Sam's Club is owned by Wal-Mart) a few days later. They were aware of the problem as a result of reading our diary but could not replicate it with any frames they tested. We also contacted the distributer of the frames (Advanced Design Systems) and they could not duplicate the problem either. Since that original story we published an update on January 4th asking if anybody had seen similar problems with any device recently purchased that used a USB connection to communicate with a host computer. That led to a second update on January 7th that contained more details about other devices that were infected. Since then, more devices have been reported to the Internet Storm Center as being infected with malware and there have been a few media reports.
Of interest is a report this past week saying that Best Buy pulled thousands of digital photo frames from their shelves based on the presence of malware. The supplier of the frames, Insignia, posted the technical information on their web site. One of our readers observed that the photo frames purchased at Sam's Club have remote controls remarkably similar to the ones sold at Best Buy. Check it out yourself:
Best Buy's frame and remote, distributed by Insignia.
Sam's Club's remote, distributed by Advanced Design Systems
The remotes are not exactly the same but the similarities are striking. This led our reader to ponder whether there are more commonalities in these devices. He suggested that looking at the two motherboards might offer clues. So if anybody has both the ADS and the Insignia frames in their possession and don't mind cracking them open...
Here is what we know so far:
We do not think that these situations are related but they do paint a picture of a new attack vector, the supply chain. By the supply chain, we mean this process:
Factory -> Shipping -> Distributer -> Shipping -> Warehouse -> Shipping -> Retail Store -> Customer
Several readers have submitted ideas about how these devices got infected:
Whatever the cause, there seems to be some sort of breakdown in the security of the supply chain. It's easy for retailers to blame the consumers but when the same malware shows up on products purchased at retail stores hundreds of miles apart by different customers it raises serious questions about the true source of the malware.
A final thought. Many readers are aware of the penetration tests done about two years ago with USB memory sticks that were sprinkled around a victim site to see if employees would bring them in then plug them into corporate computers. Knowing what you know now about this attack vector, how many digital photo frames are floating around your office that have already been plugged into your corporate computers?
More information about disabling the Autoplay function of Microsoft Windows is available at Microsoft's Technet site.
Marcus H. Sachs
Jan 28th 2008
Jan 28th 2008
1 decade ago