Internet-connected Product Bans: How Do You Avoid Future Issues?

Recent actions by DHS signal a closer monitoring of technology being purchased by the U.S. government, especially technology created and or controlled by foreign governments. In some cases Internet-connected products controlled by foreign governments have already been banned, and there are indications more may be coming. For cybersecurity personnel the product bans will require a new approach to procurement policies (especially endpoint and BYOD policies).

2018 started with a ban of Kaspersky software and was quickly followed by Senator Rubio calling for a ban on Huawei and ZTE. Given the high political cost of banning a product the US Government typically only takes action if there is overwhelming evidence. Subsequently cybersecurity personnel should take such actions very seriously.

Internet-connected security software and mobile phones are problematic as they upload data as a normal part of their operation. For example, anti-virus programs upload any signature or group of packets they don’t understand to a cloud-based analytics engine. Similarly mobile phones upload usage data to improve coverage. For DHS to ban an Internet-connected product means there is evidence that data uploads go beyond the stated functions. In the case of Kaspersky it seems they were uploading the entire hard drive.

Company-owned computers on which banned security software is installed should be discarded. As security software operates at the kernel level simply de-installing software won’t do anything. Unless you’re an expert in re-flashing hardware don’t take the risk of using a tampered laptop. If you do decide to re-flash a laptop you should label the device so users are aware then you’re re-circulating a tampered system. Unfortunately for banned mobile devices there’s nothing you can do except remove the SIM card and discard the device.

BYOD presents a bigger cybersecurity challenge for enterprises. In many organizations cybersecurity personnel don’t even know what’s on the remote device. Moreover standard countermeasures such as encryption don’t help if the device itself is the attack vector. Thus enterprises will have to take the difficult step of approving BYOD purchases.

What To Do To Avoid Future Bans?

To avoid the cost of discarding a device here are five requirements for Internet-connected products you should consider before purchasing or recommending them:

Data Location Where is the data stored?  Additionally are there any remote analytics programs that have access to the data?

Internet Function What is the function of the Internet-connected service?  Is the functionality locked down?

Anonymization Process Are Internet-connected services implementing a one-way non-recoverable hash to ensure data is anonymized?

Data Security How is access to the data managed?  Additionally how is the network that transports the data protected?

System Verification What is the vendor doing to ensure all the things they promised are really happening.

Don’t wait for DHS to ban a product. Be proactive and avoid disaster.



Junaid Islam

CTO at Vidder
Junaid Islam has over 25 years of experience in network and security protocol design. In the early 90's Junaid developed the queing algorithms for Frame Relay at StrataCom which was used by the US military for multilevel precedence and preemption (MLPP). He later developed the first Frame-ATM integration protocol at Cisco which became the foundation for MPLS. After Cisco Junaid worked on a number of US Government research programs.

Currently Junaid is leading the development of the Secure Enclave solutions using the Software Defined Perimeter architecture at Vidder. Junaid is a well respected security expert and has been interviewed by publications such as the Wall Street Journal and Newsweek.

Leave a Reply