By Jack M. Germain
Jul 24, 2020 4:00 AM PT
Counterfeit hardware, especially in corporate settings, is a recurring problem that often goes unnoticed. Having such gear online poses serious financial, operational, and security risks.
Cybersecurity company F-Secure on July 15 released an investigative report detailing counterfeit Cisco Catalyst 2960-X series switches. The report highlights challenges facing organizations that discover counterfeit devices in their IT infrastructure.
The investigation centered on a pair of counterfeit network switches. Investigators determined that the counterfeits were designed to bypass processes that authenticate system components. That conclusion highlights the security challenges posed by counterfeit hardware, according to the report.
F-Secure Consulting’s Hardware Security team investigated two different counterfeit versions of the Cisco Catalyst 2960-X series switches. The counterfeits were discovered by an IT company after a software update stopped them from working.
That is a common reaction of forged or modified hardware to new software. At the company’s request, F-Secure Consulting performed a thorough analysis of the counterfeits to determine the security implications.
“Counterfeiting of Cisco gear is indeed a long-standing issue. Multiple prior reports in the media highlight this well enough,” Dmitry Janushkevich, senior consultant with F-Secure Consulting’s Hardware Security team, told TechNewsWorld.
The report is a real-life, detailed technical analysis on how counterfeit devices work. It illustrates how existing IP can be compromised, duplicated, and security protection bypassed to make almost perfect clones of existing products, he added.
A wide range of risks is involved in organizations using the fake switches; including financial, operational, and security issues.
Financial risk in the long run might end up being more costly than purchasing original devices. That assumes the counterfeit devices are purchased at a discount in the first place. Companies with counterfeit units will not have valid support contracts or can be denied support requests, according to the report.
Operational risk involves the likelihood that the units stop working. That can be caused by firmware updates or issues that are not supported or addressed by the vendor. That, in turn, results in serious downtime that can take its toll on the operation and funds of any company.
Perhaps the most significant risk is the security breakdown. A counterfeit unit can operate outside the boundaries of legitimate and authenticated firmware. Such firmware can incorporate intentional backdoors implanted to allow network traffic monitoring and tampering.
Authenticity bypass implants, even without backdoor intents, can also introduce vulnerabilities that can undermine the originally intended security measures of the vendor firmware. A counterfeit unit weakens the security posture of the device against known or future attacks on the Cisco firmware, the F-Secure report explains.
In addition, it would be far easier for attackers to achieve persistence. Authenticity checks are already broken when compromising a counterfeit unit. Counterfeit units can be easily modified to introduce backdoors within an organization.
Big Ticket Items
Hardware counterfeiting is a serious problem for both companies manufacturing products and their customers, F-Secure acknowledged, and it can be a money-making mill for bad actors.
Counterfeiters will try to cut every possible corner to get the direct manufacturing costs down as much as possible. This results in a product of dubious quality and poor security posture. It affects both the original manufacturer and the consumer of such a product, the report noted.
The primary motive of making a counterfeit product is almost always money. If counterfeiters can earn, say, a third of the price of the original unit, it is most likely worth the trouble since the devices certainly are expensive enough.
In contrast, backdooring a device to compromise a company network can be a high-cost, high-skill job against a chosen target, said investigators.
F-Secure’s investigators found the counterfeit devices did not have any backdoor-like functionality. However, they did employ various measures to fool security controls.
For example, one of the units exploited what the research team believes to be a previously undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering.
“We found that the counterfeits were built to bypass authentication measures, but we didn’t find evidence suggesting the units posed any other risks,” said Janushkevich, lead author of the report.
“The counterfeiters’ motives were likely limited to making money by selling the devices. But we see motivated attackers use the same kind of approach to stealthily backdoor companies, which is why it’s important to thoroughly check any modified hardware,” he explained.
The counterfeits were physically and operationally similar to an authentic Cisco switch. One of the unit’s engineering suggests that the counterfeiters either invested heavily in replicating Cisco’s original design or had access to proprietary engineering documentation to help them create a convincing copy, notes the report.
Organizations face considerable security challenges in trying to mitigate the security implications of sophisticated counterfeits such as the those analyzed in the report, according to F-Secure Consulting’s Head of Hardware Security, Andrea Barisani.
“Security departments can’t afford to ignore hardware that’s been tampered with or modified, which is why they need to investigate any counterfeits that they’ve been tricked into using,” explained Barisani.
Unless you tear down the hardware and examine it from the ground up, organizations cannot know if a modified device had a larger security impact. Depending on the case, the impact can be major enough to completely undermine security measures intended to protect an organization’s security, processes, and infrastructure, she explained.
More Complicated Than Software Piracy
Hardware counterfeiting can be much more complicated than software piracy, according to Thomas Hatch, CTO and co-founder at SaltStack.
“Counterfeit software is an easy thing to do. Just put legitimate software behind a paid portal. Hardware counterfeiting is not as widespread, but it is much rarer,” he told TechNewsWorld.
Hardware counterfeiters use a few business models, but they mostly stem from trying to make more money with inferior parts. It is often driven by what the sellers has on hand as they try to liquidate parts.
“It is generally more opportunistic than systematic,” said Hatch.
How to Guard Against Counterfeit Gear
F-Secure has the following advice to help organizations prevent themselves from using counterfeit devices:
- Source all your devices from authorized resellers
- Have clear internal processes and policies that govern procurement processes
- Ensure all devices run the latest available software provided by vendors
- Make note of physical differences between different units of the same product, no matter how subtle they might appear
In many cases counterfeit units fail after the software is updated. Companies using these models can also look for suspicious console output messages such as authentication steps failing.
A key takeaway from this report is that without strong hardware security measures IP can be compromised and tampered. Purchasers must be careful with security architecture and implementation to ensure that such IP breaches remain unfeasible to attackers.
Cisco provides a Serial Number Health Check tool to help in such detection. The mere existence of such a tool highlights how relevant this problem is.
Proactive Steps Needed
In its own right, counterfeit hardware is a form of supply-chain attack. There is no quick and easy way to see whether a unit is counterfeit, according to F-Secure’s Janushkevich.
“Most often, this requires a thorough inspection of the exterior and interior of the units. Otherwise, they would be a fake too obvious to be sold,” he noted.
Cisco has a dedicated brand protection team that deals with counterfeits and tracks the situation. Despite Cisco’s efforts to fight the wave of counterfeit equipment, the business of fake products appears to be too lucrative to dissuade wrongdoers.
That also explains why in the case of the two devices we researched, a good amount of time and skills were used to make the counterfeit devices, Janushkevich observed.
Buyers of electronic hardware should make sure they buy from reputable sources, like sellers with positive reputations, added SaltStack’s Hatch. Also, they should verify that what they received is the advertised component, particularly when buying used goods or from an unknown site.
“Sometimes the counterfeit is a close model but advertised as something slightly more expensive,” he warned.
Generally, hardware counterfeiting is a scam to make money. But it can be an effective way to make backdoors, added Hatch.
“Counterfeit hardware has been used by state-sponsored intelligence agencies since before World War II. I am aware of this technique being used by different state intelligence agencies in recent years, so I see no reason why it would not be used by independent actors as well,” he offered.
Getting nefarious hardware into data centers is often not as complicated as people would think, he warned.
Hatch suggested some additional steps to stay ahead of potential backdoor operations from network hardware:
- Verify your hardware and the installed software and firmware
- Do not hesitate to update your software and firmware from what was sent with the hardware
- Monitor outbound network traffic for anomalies or things that look odd
“In many cases, an encrypted outbound-only connection to a less-than-standard location is something to be concerned about,” he said.