What is product traceability?
Traceability of the product supply chain is a very important aspect in manufacturing as it directly contributes to product safety, quality and, as an emerging trend, product sustainability and ethics.
When it comes to safety, automakers consistently announce product recalls to protect their customers from failure of defective parts, and to protect themselves by being compliant and avoiding lawsuits. In a recent example, Rivian, an electric car company, recently recalled all of its vehicles due to a loose steering mount.
Brand reputation is also an important factor for product traceability. For example, luxury jewelers ensure that the diamonds they sell have a Kimberley process certificate to ensure they are not blood diamonds (diamonds mined by workers and exploiting the environment).
However, traceability is currently still a weak point in the software industry. For example, the Log4j vulnerability became a sticky issue for cybersecurity teams, as the biggest challenge it presented to them was not to fix and patch the vulnerability, but rather to identify which software in their environment was using Log4j in the first place. This is why the idea of a software bill of materials (SBOM) is gaining traction – so that the entire industry can build traceability on software products.
Traceability in the Android ecosystem is even more challenging due to its open architecture, as Android is designed to run on a wide variety of mobile devices and vendors are allowed to create their own variants of the operating system. Most smartphone brands also do not have the expertise in-house to manufacture all the necessary components such as the hardware, firmware, apps and infrastructure for system updates, so many Android smartphone devices have simply been rebranded as OEMs. Because of this, many Android brands have no idea what went into the product they sell and have been kept informed when unwanted apps and security vulnerabilities affected their products.
The Android Software Supply Chain Problem
Suppose ACME telco (a fictitious company) wants to pack a cheap smartphone into their plans to launch a new 5G data plan. Since ACME telco is not a smartphone manufacturer, ACME will outsource the development and production of the device to an OEM supplier. All ACME needs to do is provide the expected specs, target price, and branding. This process is often referred to as “white labeling” where the name comes from the OEM taking full responsibility for manufacturing the device and leaving the brand label simply “white” for the customer to fill out.
Such convenience and cost savings are not without risks. The OEM will of course try to use the cheapest components that meet the specifications. And since smartphones don’t just run on hardware, firmware and custom apps in the device also come at a cost, which the OEM will optimize as well. Firmware developers who provide the OEM may agree to provide the software at a lower cost, as they can make up for lost profits through questionable means, such as discreetly pre-installing apps from other app developers for a fee. An entire market has been built around this bundling service with prices ranging from 1 to 10 Chinese Yuan (about US$0.14 to US$1.37 at the time of writing) per application per device. Here’s where the risk is: As long as the device’s firmware, packaged apps, and update mechanisms aren’t owned, controlled, or controlled by the smartphone brand itself, a rogue vendor could hide unauthorized code in them.
In addition, the malicious or unwanted code does not necessarily have to be fully installed during production. Since smartphones are already connected to the Internet anyway, rogue vendors can use the device’s firmware and app update mechanisms to install the malicious or unwanted code later, when the device is actually used.
If the OEM lacks supplier visibility, component tracking, and integrity checks, it will be difficult to trace the rogue supplier responsible for the unauthorized code and determine when the code was bundled into the product. The misuse of the firmware and app update mechanisms also means that the groups behind the operation can be selective about deploying any unauthorized app or code they want to inject into the device at any time, which takes a lot of diagnostics, incident response and forensics. makes more complicated.
Why is Android supply chain security important?
Gone are the days when a smartphone is just a phone with a camera that you can use to play games, listen to music and watch movies. A modern smartphone is almost always connected to the internet (thanks to mobile data plans that are getting cheaper and cheaper) and runs productivity and business apps so you can actually work on them.
In addition, smartphones have a mobile number that is then linked to online identities, either as part of two-factor authentication (2FA) or for checking the validity of an account. Apart from SMS based 2FA, authentication apps used in enterprise authentication systems are also done using smartphone apps.
What must we do?
As Android phone users, if the smartphone is so important to our daily tasks, shouldn’t we be more aware of the origin of the components and software that run in our smartphones?
Second, shouldn’t smartphone vendors be more careful when buying their devices, only do business with vetted OEMs and product traceability, and demand an SBOM?
Third, as infosec professionals, shouldn’t we judge and research what make and model are acceptable before having business and authentication apps installed on it?
These are the questions we need to ask ourselves as there is currently no specific guideline or certification body to establish the integrity of Android smartphones and their firmware. We need to apply different levels of supplier and device accreditation depending on risk appetite to ensure all devices are purchased from reputable brands that secure their supply chains and audit their suppliers.
Government agencies can also help encourage manufacturers and retailers by creating programs that highlight products that meet regulations for safe manufacturing and development practices. For example, Singapore and Finland have a Cybersecurity Labeling Scheme that provides a simplified overview of a product’s cybersecurity resilience through a four-level assessment that includes basic security checks, developer declaration of conformity, third-party assessment and penetration testing. While the current implementation only applies to internet-of-things (IoT) devices such as routers and IP cameras, a similar scheme can be extended to smartphones.
As of today, rogue suppliers can remain hidden and continue their unethical business practices because they are not visible. And because there is no visibility, accountability is difficult to enforce. Increasing visibility through product traceability, an SBOM, and even government-backed rating schemes will effectively reduce the chance for these rogue suppliers to hide.
By Fyodor Yarochkin, Vladimir Kropotov, Zhengyu Dong, Paul Pajares and Ryan Flores