cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Flyslinger2
Community Champion

Supply Chain Issues through Updates - Asus

Patching is important. Keeping your patching server secure is equally as important. Asus had a blip occur in their patching system which pushed bad software down to their customers.

 

I think a bigger focus on securing the supply chain is warranted. Thoughts?

2 Replies
JoePete
Advocate I

This Asus story is a great teaching tool. Great example of digital signing gone wrong, importance of securing the update server, etc., but what really caught my eye was that apparently firmware updates were included. In theory, if this involved flashing new firmware, that could mean malware that would persist through a reformatting of the hard drive.

 

While perhaps this is a supply chain issue, I look at it as a philosophical one where the "feature" of updateable firmware has become a vulnerability. Give me the old days when ROM was really ROM. When a manufacturer knew it had only one shot to make something work right, it made sure it worked right. Now we treat firmware like any old piece of software - "Oh if its broken, we'll just fix it in the next version."

lcinti
Newcomer I

I agree and I also think this case is a little "challenging" for the IS community.

The other day I read that other controls that might raise red flags didn't immediately arouse suspicions either. One VirusTotal uploader noted grammar and spelling mistakes, but those were dismissed. Unaffected ASUS applications contained similar errors.

 

Remember the incident with CCleaner ? One of the primary targets of the CCleaner attacks was ASUS. Is this a by-product of that operation ? Is it a "coincidence" ?

 

Thanks and regards,

 

Leandro