'That's not a bug, it's a feature' takes on a darker tone when malware's involved

Opinion One of the charms of coding is that malice can be indistinguishable from incompetence. Last week's Who, Me? story about financial transfer test software running amok is a case in point.

The hapless dev left code running overnight that should have moved a single cent in and out of his test account. Instead, it machine-gunned $100 transfers in for hours. It tripped internal security but the temporarily rich kid had told his boss about it and could thus talk his way clear.

What if the bank-raiding routine hadn't been detected? Our hero would have come in to find a huge cash stash sitting there, a highly tempting proof of concept perhaps. Not coming clean would be malicious, but the code's the same whether he 'fessed up or not.

This is exactly the quandary US authorities are pondering as they consider banning products by Chinese consumer networking company TP-Link. These are very popular because the hardware is good and reliable, but mostly because they are remarkably cheap. So cheap, in fact, that the company is suspected of dumping, selling at under cost to take market share. The main reason for suspicion, though, is the routers' firmware. It's outstandingly prone to vulnerabilities, ridden with things like buffer overflows, to the point that mere incompetence seems an insufficient explanation.

This sounds like a conspiracy theory because the evidence is ambiguous. Line up the circumstantial evidence and it's at least plausible. If TP-Link does have a corporate fondness for crap coders, how come the features visible to owners in everyday use work well, while invisible vulnerabilities are so common? Chinese law compels all domestic companies to cooperate with state security in secret. There is already evidence of widespread Chinese infiltration of communication infrastructure with Salt Typhoon. Motive, opportunity, ability, and history: where does the balance of probabilities lie?

It would be possible to prove TP-Link products were uniquely vulnerable by statistical analysis, comparing them to competitive products from other vendors. At that point, it doesn't really matter what the reason is, they could be taken off the market because of consumer safety worries. That wouldn't do much good, given the huge installed base, and the uniquely attractive environment infrastructure offers to the bad guys. It's invisible to end users, hard to monitor, hard to update, and once something's installed and working, it is highly disruptive to rip it out.

A great/awful example of this is the recently disclosed Iranian-linked attack on US and Israeli energy and IoT devices, part of a family of attacks that have targeted a wide range of devices from a wide range of manufacturers. Whoever created the IOCONTROL malware is highly competent and inventive, but at first glance it seems unlikely that the firmware of the target devices would contain deliberately vulnerable Iranian-sourced code. Iran has no international IT infrastructure makers to manipulate, being locked away behind sanctions. This need not stop it. Nor anyone else.

• The sweet Raspberry taste of success masks a missed opportunity
• Mr Intel leaving Intel is not a great sign... for Intel
• Telco security is a dumpster fire and everyone's getting burned
• Mysteries in polar orbit – space's oldest working hardware still keeps its secrets

Industrial espionage is exceptionally hard to spot until the stolen secrets come to light. Likewise, industrial sabotage can be equally hard to trace. When that industry is firmware, and the malicious actor has no intention of using the information in detectable ways, this is even more so. Given how valuable zero days are to attackers, how much easier would they be to exploit if you put them there yourself?

You don't even need to embed a star player in your target company, just someone competent enough to send copies of the code under development back to the malware creators, and get their changes back into the tree.

Do all those IoT, industrial control, and router companies have the ability to spot highly disguised vulnerabilities slipped in by malicious experts? They're not very good at spotting incompetent errors, given the many alerts the industry generates.

Catching corrupt coders is always going to be hard, unless their own opsec is bad. It's also most embarrassing to go public when you do. Even in security services and the military, where employees are routinely screened and counter-espionage is a specialty, the job is still very difficult. It's not as if ideology or animus are needed to tempt someone into sin: cash and flattery do the job just as well.

It's not a case of whether this is happening. The opportunities are too great, the risk too small, and the outlays too modest to resist. The question is how to find it, given that nobody seems to be looking. A company responsible for a vulnerability has the responsibility to fix it, but not to track down how it came to be and who was involved. There is no agency tracking and correlating this information, not unless national security is directly involved.

This just in: it is. We just don't really believe it. Until we do, there's an entire industry-wide meta-vulnerability going completely unchecked. Better believe it. ®