In the last quarter of 2019, an unnamed IT company found their two network switches failing after being subjected to software updates. The cybersecurity solutions company F-Secure was called to investigate. After a thorough examination, the devices, two different versions of Cisco Catalyst 2960-X series switches, were judged to be counterfeits.
To find out more about the incident, CSA interviewed Dmitry Janushkevich, Senior Consultant, Hardware Security at F-Secure, who explained that the victim company had been using the switches for a few weeks before they noticed errors in the products when subjected to the usual update cycles. In many instances, counterfeit devices are hard to detect because they may function as intended, that is until they stop working. In this particular case, the failed updates gave them away.
This kind of risk in cybersecurity is not new, especially considering the significant amounts of money involved in the procurement of IT equipment. Imitations or replications of such products can entice unsuspecting companies into buying such equipment for a cheaper price, not realising the risks involved in doing so. Cisco and other renowned IT brands are common victims of these counterfeiting incidents.
Past incidents, such as the arrest of a UK gang exporting USD $10 million worth of Cisco products in 2015 and Cisco battling against Chinese counterfeiters last year highlight the growing problem and the stakes involved when it comes to counterfeit hardware. Going back to the two counterfeit switches, Janushkevich clarified that the IT company bought the fabricated products from unauthorised sellers and at the company’s request, F-Secure Consulting performed a thorough analysis of the counterfeits to determine the security implications.
According to F-Secure’s report, they identified the full exploit chain that allowed one of the forged products to function; a previously undocumented vulnerability in a security component that allowed the device’s secure boot restrictions to be bypassed. The team then inspected the counterfeit devices further and compared them to genuine ones.
The counterfeit switches were found to be very similar to the authentic products, both on the physical appearance and the electronic layouts. “We can see that there are way too many similarities, which you wouldn't have unless you copied the (original) board. Even the silkscreen [information], like component reference designators, is positioned exactly the same”, Janushkevich explained. However, his team did notice some exterior differences between genuine and fake products, such as the visual appearance of port labels and buttons.
When asked if the manufacturers of the forged products had access to Cisco’s intellectual properties, Janushkevich answered, “Either they went to great lengths to copy everything meticulously or they just had access to some files, which they used as the basis for the board”.
Although the security functions were bypassed, the F-Secure investigation concluded that the products had no backdoor functionalities. They noted that “the comparison of EEPROM data extracted from the genuine unit and unpatched data extracted from Counterfeit A showed them to be identical. As the patches were designed to bypass signature checks only, we could conclude there was no "backdoor" code introduced into the SLIMpro environment”. SLIMpro runs code for the encryption and authentication of network devices.
Janushkevich clarified that if backdoors were introduced in these devices, it would be a very big danger to any kind of company. “Having a third body perpetual access to your own internal network is a bit risky”, he said. Therefore, in order to avoid severe cybersecurity implications due to such incidents, Janushkevich advised businesses in the ASEAN region to purchase products directly from vendors or their official resellers.
To double-check the authenticity of any purchased IT equipment, he stated that companies should verify the serial numbers with the manufacturer to see if the devices are genuine. Cisco, for example, has a special brand protection team that combats illegal activities and protects consumers from its effects.
Editor’s Note: The term “backdoor functionality” in IT and network equipment has become a serious bone of contention that has placed certain networking companies like Huawei under tremendous geopolitical pressure.
While we take no sides in this matter, it’s interesting to note a comment made by Andy Purdy, Chief Security Officer for Huawei Technologies USA, in one podcast interview with Cyber a few months ago. On the issue of companies or nation-states putting in place backdoors or hidden functionalities in certain products that could be potentially used to launch devastating attacks, spy or steal intellectual property, he said enterprises and government organisations can apply “third-party mechanisms, with government oversight or independent monitoring, to demonstrate that there are no backdoors” in said products.
Based on the in-depth manner in which firms like F-Secure carry out their investigation and analysis and how they could rigorously and systematically verify how counterfeiters did not install any backdoor functionalities in this case, there might be some truth in Purdy’s claims.
Either way, there are now more avenues and options for businesses that wish to clear their doubts on whether their IT devices and equipment are truly secure.