Yottabytes: Storage and Disaster Recovery

Sep 17 2018   8:59AM GMT

Schneider USB Malware Scare

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
malware
USB

We’ve talked before about security issues involved with USB drives, but here’s a new one: A vendor alerting us to malware on a USB drive that it’s shipping with its product.

Schneider Electric recently notified users of its Conext Combox and Conext Battery Monitor that USB removable media shipped with the products may have been exposed to malware during manufacturing at a third-party supplier’s facility.

Oops.

The Conext Combox and the Conext Battery Monitor are both used to monitor solar system harvest and yield of solar power systems, according to the company, which is based in France. This is somewhat concerning in the context of the security of the power grid.

It also isn’t known where the third-party supplier’s facility is, to help determine whether this is a state-sponsored activity. China? South Korea? Japan?

“Schneider Electric has determined that some USB removable media shipped with the Conext Combox and Conext Battery Monitor products were contaminated with malware during manufacturing by one of our suppliers,” the company said in its alert. “Schneider Electric has confirmed that the malware should be detected and blocked by all major anti-malware programs. Out of caution, Schneider Electric recommends that these USB removable media are not used. These USB removable media contain user documentation and non-essential software utilities. They do not contain any operational software and are not required for the installation, commissioning, or operation of the products mentioned above. This issue has no impact on the operation or security of the Conext Combox or Conext Battery Monitor products.”

Instead of using the documentation on the USB drives, Schneider recommends that people download the documentation from the company website.

This isn’t the first time something like this has happened. A year ago, IBM reportedly shipped some USB flash drives, containing the initialization tool for its Storwize storage system, that contained a file that has been infected with malicious code. IBM was similarly tight-lipped about how the malware came to be there.

In fact, there’s a security website (called “Rationally Paranoid”) that tracks such incidents, and it goes as far back as 2000. It doesn’t yet include the Schneider incident, nor any other incident from 2018.

With the Schneider incident, there are still a number of outstanding questions:

  • What kind of malware is it?
  • Who is the third-party manufacturer and where are they located?
  • What was the USB drives’ intended use? Did they get plugged into the solar device itself, or into PC?
  • Were these particular USB drives belonging to Schneider Electric targeted, or was it just run-of-the-mill malware? In other words, was someone trying to hack into the power grid this way?
  • Who else uses USB drives from that manufacturer? Are there USB drives infected too?

Companies are understandably reticent about such incidents, because they don’t want to give people ideas, nor set themselves up for liability. On the other hand, if we’re going to protect ourselves from such incidents in the future, it’s important to know all we can about them. “Security through obscurity” never works.

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • TheRealRaven
    Actually, security through obscurity regularly works and is used more often and more widely than we like to admit. Whenever some encryption algorithm is broken or other security process shows an exposed vulnerability, we never say "Security through encryption never works."

    Perhaps it's time for us to recognize how the real world works. There can be times when 'security through obscurity' is acceptable, especially when alternatives are too onerous to implement.

    Security is always a trade-off.
    35,090 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: