F-Secure uncovers counterfeit Cisco network devices
Finnish cybersecurity company F-Secure has published a report detailing its investigation into a pair of counterfeit Cisco network switches.
The investigation concludes that the counterfeits had been designed to bypass processes that authenticate system components. Two different counterfeit versions of Cisco Catalyst 2960-X series switches were discovered by an IT company after a software update stopped them from working.
Investigators found that while the counterfeits did not have any backdoor-like functionality, they did employ various measures to fool security controls. For example, one of the units exploited what the research team believes to be a previously undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering.
"We found that the counterfeits were built to bypass authentication measures, but we didn’t find evidence suggesting the units posed any other risks," says Dmitry Janushkevich, a senior consultant with F-Secure Consulting's Hardware Security team, and lead author of the report. "The counterfeiters' motives were likely limited to making money by selling the components. But we see motivated attackers use the same kind of approach to stealthily backdoor companies, which is why it's important to thoroughly check any modified hardware."
The counterfeits were physically and operationally similar to authentic Cisco switches. The unit’s engineering suggests that the counterfeiters either invested heavily in replicating Cisco's original design or they had access to proprietary engineering documentation to help them create a convincing copy.
"Security departments can't afford to ignore hardware that's been tampered with or modified, which is why they need to investigate any counterfeits that they’ve been tricked into using," says F-Secure Consulting's head of hardware security Andrea Barisani. "Without tearing down the hardware and examining it from the ground up, organizations can’t know if a modified device had a larger security impact. And depending on the case, the impact can be major enough to completely undermine security measures intended to protect an organization’s security, processes, infrastructure, etc."
F-Secure recommends that businesses protect themselves by only sourcing components from authorized resellers, having clear internal processes and policies governing procurement processes, ensuring all components run the latest available software provided by vendors, and taking note of any physical differences between different units of the same product, no matter how subtle they may be.
You can find the full report on the F-Secure site.