<!--byline-->By Jack M. Germain<!--/byline--> <br /><!--date-->Jul 24, 2020 4:00 PT<!--/date--> </p><div id="story-body"><p class="story-body">Counterfeit hardware, especially in corporate settings, is a recurring problem that often goes unnoticed. The presence of these devices online involves serious financial, operational and security risks.
Cyber security company F-Secure on July 15, it released an investigation report detailing the counterfeit Cisco Catalyst 2960-X series switches. The report highlights the challenges facing organizations who discover counterfeit devices in their IT infrastructure.
The investigation focused on a pair of counterfeit network switches. Investigators determined that counterfeits were designed to bypass processes that authenticate system components. This conclusion highlights the security challenges posed by counterfeit hardware, according to the report.
The hardware security team at F-Secure Consulting has studied two different counterfeit versions of the Cisco Catalyst 2960-X series switches. Counterfeits were discovered by an IT company after a software update prevented them from functioning.
This is a common reaction of forged or modified hardware to new software. At the company’s request, F-Secure Consulting carried out an in-depth analysis of counterfeits to determine the security implications.
“Counterfeiting Cisco equipment is indeed a long-standing problem. Numerous previous media reports highlight it quite well,” Dmitry Janushkevich, senior consultant to the hardware security team at F-Secure Consulting, told TechNewsWorld.
The relationship is a detailed and real technical analysis on the functioning of counterfeit devices. It illustrates how existing IP can be compromised, duplicated and circumvented security protection to make clones of existing products almost perfect, he added.
A wide range of risks are involved in organizations that use fake switches; including financial, operational and security problems.
Long-term financial risk may be more expensive than buying original devices. This assumes that counterfeit devices are purchased at a discount in the first place. Companies with counterfeit units will not have valid service contracts or service requests may be refused, according to the report.
Operational risk involves the likelihood that the units will stop operating. This can be caused by firmware updates or problems that are not supported or resolved by the vendor. This, in turn, leads to severe downtime which can adversely affect the operation and funds of any company.
Perhaps the most significant risk is breaking security. A counterfeit unit can operate outside the bounds of legitimate and authenticated firmware. This firmware can incorporate intentional backdoors implanted to allow monitoring and tampering with network traffic.
Authenticity bypass facilities, even without backdoor intent, may also introduce vulnerabilities that may undermine the security measures originally provided for in the vendor’s firmware. A counterfeit drive weakens the device’s security location against known or future attacks on Cisco firmware, explains the F-Secure report.
Furthermore, it would be much easier for attackers to achieve persistence. Authenticity checks are already broken when a counterfeit unit is compromised. Counterfeit units can be easily modified to introduce backdoors into an organization.
Hardware counterfeiting is a serious problem for both companies that manufacture products and their customers, F-Secure acknowledged, and it can be a money-making mill for bad actors.
Counterfeiters will try to cut every possible angle to reduce direct production costs as much as possible. This results in a product of dubious quality and poor safety. It affects both the original manufacturer and the consumer of that product, notes the report.
The main reason for making a counterfeit product is almost always money. If counterfeiters can earn, for example, a third of the price of the original unit, it is very likely worth it, since the devices are certainly quite expensive.
In contrast, backdooring a device to compromise a corporate network can be expensive and highly skilled work against a chosen goal, investigators said.
F-Secure investigators found that counterfeit devices had no backdoor functionality. However, they have taken various measures to deceive security checks.
For example, one of the units exploited what the research team believes is an undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering.
“We found that counterfeits were built to circumvent authentication measures, but we found no evidence to suggest that the units posed other risks,” said Janushkevich, lead author of the report.
“The counterfeiters’ motives were probably limited to making money by selling the devices. But we see that motivated attackers use the same type of approach for stealthily backdoor companies, which is why it is important to thoroughly check any modified hardware,” he explained.
The counterfeits were physically and operationally similar to an authentic Cisco switch. One of the unit’s technicians suggests that the counterfeiters either invested heavily in replicating the original Cisco project or had access to proprietary engineering documentation to help them make a convincing copy, the report notes.
Organizations face significant security challenges in an attempt to mitigate the security implications of sophisticated counterfeits such as those analyzed in the report, according to F-Secure Consulting hardware security officer, Andrea Barisani.
“The security departments cannot afford to ignore the hardware that has been tampered with or modified, which is why they need to investigate any fakes that they have been tricked into using,” explained Barisani.
Unless you lower the hardware and examine it from scratch, organizations cannot know if a modified device has had a greater impact on security. Depending on the case, the impact can be large enough to completely compromise security measures designed to protect an organization’s security, processes and infrastructure, he explained.
More complicated than software piracy
“Counterfeit software is an easy thing to do. Just put legitimate software behind a paid portal. Hardware counterfeiting isn’t as common, but it’s much rarer,” he told TechNewsWorld.
Hardware counterfeiters use some business models, but they mostly come from trying to make more money with lower parts. It is often driven by what sellers have on hand as they try to liquidate the parts.
“It’s generally more opportunistic than systematic,” said Hatch.
How to protect yourself from counterfeit tools
F-Secure offers the following tips to help organizations avoid using counterfeit devices:
- Source of all your devices from authorized dealers
- Have clear internal processes and policies that govern procurement processes
- Make sure all devices are running the latest available software provided by vendors
- Take note of the physical differences between the different units of the same product, no matter how subtle they may appear
In many cases, counterfeit drives fail after updating the software. Companies using these models can also look for suspicious console output messages, such as authentication errors.
A key aspect of this report is that without strong hardware security measures, IP can be compromised and tampered with. Buyers need to be careful with the architecture and security implementation to ensure that such IP violations remain unworkable for attackers.
Proactive steps required
By itself, counterfeit hardware is a form of attack on the supply chain. There is no quick and easy way to see if a drive is counterfeit, according to Janushkevich of F-Secure.
“Most often, this requires a thorough inspection of the exterior and interior of the units. Otherwise, it would be too obvious a fake to be sold,” he noted.
Cisco has a dedicated brand protection team that handles counterfeiting and tracks the situation. Despite Cisco’s efforts to combat the wave of counterfeit equipment, the activity of counterfeit products appears to be too profitable to dissuade offenders.
This also explains why, in the case of the two devices we researched, Janushkevich took a good deal of time and expertise to make the counterfeit devices.
Electronic hardware buyers should make sure they buy from reputable sources, such as sellers with positive reputations, added SaltStack’s Hatch. In addition, they should verify that what they received is the advertised component, particularly when purchasing used goods or from an unknown site.
“Counterfeiting is sometimes a close model but advertised as something slightly more expensive,” he warned.
In general, hardware counterfeiting is a money making scam. But it can be an effective way to create backdoors, Hatch added.
“Counterfeit hardware has been used by state-sponsored intelligence agencies since before the Second World War. I am aware that this technique has been used by several state intelligence agencies in recent years, so I don’t see any reason why it wouldn’t been used by independent actors as well, “he offered.
Having the nasty hardware in data centers is often not as complicated as people might think, he warned.
- Check the installed hardware, software and firmware
- Do not hesitate to update the software and firmware from what has been sent with the hardware
- Monitor outgoing network traffic for anomalies or things that seem strange
“In many cases, an outbound only encrypted connection to a non-standard location is something to worry about,” he said.