The source code for Asus' phone cameras has been hacked, but it's apparently 'not impacted Asus products, internal company systems, or user privacy'
Asus was recently a claimed target of a ransomware group called Everest, which said it had managed to get hold of the hardware manufacturer's phones' "camera source code." Asus, however, is saying the group has hacked one of its suppliers, not Asus itself.
The company says: "An Asus supplier was hacked. This affected some of the camera source code for Asus phones. This incident has not impacted Asus products, internal company systems, or user privacy. Asus continues to strengthen supply chain security in compliance with cybersecurity standards."
Supply chain security might not be one of the first things we think of when we think of cybersecurity, but in increasingly interdependent markets, perhaps it should be.
In fact, the Open Web Application Security Project (OWASP) recently added "software supply chain failures" to its list of the top 10 security risks to web apps. Of course, that's dealing with software, but the same presumably applies to hardware.
This should also serve as a reminder, if we needed one, that much of our hardware and many of our devices are cobbled together from multiple sources. That's as true for systems, peripherals, and other manufacturers that do make some of their own hardware as it is for the more obvious completely "fabless" manufacturers like Nvidia. Companies are usually reliant on other companies for parts of their products.
This incident isn't far off the back of Asus releasing updates to fix security flaws—some "high" severity, and one "critical"—for some routers and the MyAsus software. But these things happen all the time, I suppose, and Asus products a far from the only ones to have been found vulnerable to exploits.
The important thing is that these exploits are patched, which serves as a reminder, of course, to keep all your software up-to-date.
Sometimes, however, there are things that can't be fixed by a simple software update. I'm reminded of the flawed UEFIs that were discovered to have shipped with some Framework Linux machines. Firmware's something that can't usually be fixed with a simple in-OS update.
Nor, presumably, are problems generated from leaked source code for a phone camera. Hopefully, Asus is right, and this breach hasn't impacted its products, internal systems, or user privacy. Especially the last point.