UW Computer Security Research and Course Blog

I would like to talk about an article I read in Slashdot today ( http://it.slashdot.org/article.pl?sid=08/01/13/1533243 )on Malware (Trojan horse programs and computer viruses) finding their way onto digital devices like iPods and, more interestingly, digital picture frames. The Slashdot article points to an article from The Register ( http://www.theregister.co.uk/2008/01/11/malware_digital_devices/ ). The article from The Register talks briefly about consumers during the Christmas season who have received digital picture frames have had the problem of malware, which was traced to an infected computer at the factory, attempting to infect computers once the device is connected to the home computer. The malware, which have hidden itself by disallowing the user from showing hidden files and from contacting antispam and antivirus websites, has been reported to the Internet Storm Center, a group that monitors network threats. This problem is not new, as iPods and hardwares have had a small history of manufactures with infected computers infecting shipped devices, and are typically due to small lapses in maintaining secure systems at the factories and are accidental in general.

What is more interesting is that the article points out that returned items may have a more malicious intent. It is possible that adversaries may choose to purchase devices for the sole purpose of uploading malware to the device, returning it, and infecting computers of unsuspecting customers through the returned device. Stores, which much laxer, lazier, or uneducated policies, may not completely clean returned items that may be infected for malicious intent. Though, the means of spreading the malware is primitive, the access is sneakier because the defense against malware is directed towards the network (like the Maginot Line) but not to internal or plug and play devices attached physically by the user. It would be hard to detect an issue like this without a few guinea pigs being compromised in the process but now that an incident of this sort has arisen, the safest solution to this is education. In reality, because there is a physical element to this problem, it would be safer to spend resources on cleaning the products memories thoroughly due to the solidity of the data residing in these devices. By checking after returns and before stocking on shelves, the store can assure customers that products will not harm them. This reassurance is vital to maintaining a store’s reputation for selling safe products. Though this problem is not a barn-burner when it comes to security issues, it may drive a common customer (non-computer savvy individuals) to educate themselves in what they are purchasing and what is required to have a safe and more enjoyable experience with a particular device. Nothing can make life more difficult for an amateur user than a technical problem that clearly is beyond their knowledge base. So, a word of caution: before you plug it in, check it out.