Counterfeit network hardware built to bypass cyber security authentication measures is reaching the open market, and organisations should be on their guard against it, according to F-Secure Consulting’s Hardware Security team, which has been investigating two different counterfeit versions of Cisco Catalyst 2950-X series switches.
The two switches in question found their way into the network of an IT company which has asked to remain nameless. It found the dodgy kit after a software update caused them to stop working, which is a common reaction of forged or modified hardware to new software, at which point they were handed to F-Secure for analysis.
The fake Catalyst switches did not contain any backdoor-like functionality, so it is highly unlikely that any malicious actors would have been able to access the user’s network, did exploit what F-Secure said it believes is a previously undiscovered software vulnerability to undermine secure boot processes that would have protected against firmware tampering. This does pose a clear and obvious security risk.
“We found that the counterfeits were built to bypass authentication measures, but we didn’t find evidence suggesting the units posed any other risks,” said Dmitry Janushkevich, a senior consultant with F-Secure Consulting’s Hardware Security team, and lead author of the report.
“The counterfeiters’ motives were likely limited to making money by selling the components. But we see motivated attackers use the same kind of approach to stealthily backdoor companies, which is why it’s important to thoroughly check any modified hardware.”
Both units were found to be physically and operationally similar to the genuine Cisco product, which would suggest that the people who built it had either invested heavily in replicating Cisco’s original design, or had accessed proprietary engineering documentation that let them build a convincing copy.
“Security departments can’t afford to ignore hardware that’s been tampered with or modified, which is why they need to investigate any counterfeits that they’ve been tricked into using,” said Andrea Barisani, head of hardware security at F-Secure Consulting.
“Without tearing down the hardware and examining it from the ground up, organisations can’t know if a modified device had a larger security impact. And depending on the case, the impact can be major enough to completely undermine security measures intended to protect an organisation’s security, processes, infrastructure, etc.
“We’re world leaders when it comes to breaking and implementing secure boot schemes, which are integral in protecting intellectual property and ensuring authenticity of firmware and hardware products. Our detailed analysis of this case highlights not only the challenges in determining the security implications of counterfeits, but also how we can support and reassure organisations that discover suspicious devices in their infrastructure,” added Barisani.
There are a number of steps organisations can take to stop counterfeit products from making their way into the IT estate. The first is to fully audit your supply chain and ensure all components are sourced from authorised channel partners, and absolutely not grey market dealers and brokers; to implement clear internal processes and policies that govern procurement processes; to ensure all IT products are running the latest available software; and even to make note of and query any physical differences between different units of the same product.
“Maintaining the integrity and high quality of Cisco products and services is a top priority for Cisco. Counterfeit products pose serious risks to network quality, performance, safety and reliability. We recommend customers purchase Cisco products from Cisco or through an authorised partner to ensure customers get genuine and authorised Cisco products,” said a Cisco spokesperson.
“To protect our customers, Cisco actively monitors the global counterfeit market as well as implements a holistic and pervasive Value Chain Security Architecture comprised of various security controls to prevent counterfeiting. Cisco also has a Brand Protection team dedicated to detecting, deterring, and dismantling counterfeit activities. Combating widespread counterfeiting and protecting intellectual property rights are sizeable challenges facing the entire technology industry.”
F-Secure’s full investigation and report can be downloaded from its website.