Counterfeit Cisco devices were behind the failure of an IT company’s network switches last fall after a software upgrade, an investigation has found.

Underscoring the security challenges posed by counterfeit hardware, the real-life anecdote prompted the victimized purchaser to commission F-Secure’s hardware security team to perform a thorough analysis of the components.

The company discovered that two versions of Cisco Catalyst 2960-X series switches turned out to be fake and not authentic devices manufactured by Cisco. The counterfeits did not have any backdoor-like functionality, but were designed to fool security controls, F-Secure, said in a report released today.

“We found that the counterfeits were built to bypass authentication measures, but we didn’t find evidence suggesting the units posed any other risks,” said Dmitry Janushkevich, a senior consultant with F-Secure Consulting’s Hardware Security team, and lead author of the report. “The counterfeiters’ motives were likely limited to making money by selling the devices. But we see motivated attackers use the same kind of approach to stealthily backdoor companies, which is why it’s important to thoroughly check any modified hardware.”   

The counterfeits were physically and operationally similar to an authentic Cisco switch. One unit’s engineering suggests that the counterfeiters either invested heavily in replicating Cisco’s original design or had access to proprietary engineering documentation to help them create a convincing copy.  

Typically, copies are sold at a fraction of the price of the real thing to unsuspecting buyers thinking they received a great deal, but in doing so, could compromise the organization’s overall security posture.

The F-Secure report noted that Cisco employs a dedicated Brand Protection team, whose purpose is to defend against counterfeit and gray market activities. The team  partners with customs teams and regional governments all over the world. In April 2019, they seized $626,880 worth of counterfeit Cisco products in one day. However, despite successful operations, Cisco hasn’t been able to stop fraud fully, F-Secure pointed out. One unit dissected by F-Secure exploited what the research team believes to be a previously undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering. 

“Security departments can’t afford to ignore hardware that’s been tampered with or modified, which is why they need to investigate any counterfeits that they’ve been tricked into using,” said Andrea Barisani, F-Secure Consulting’s Head of Hardware Security.  

“Security departments can’t afford to ignore hardware that’s been tampered with or modified, which is why they need to investigate any counterfeits that they’ve been tricked into using,” Barisani explained. “Without tearing down the hardware and examining it from the ground up, organizations can’t know if a modified device had a larger security impact,” he added.

Depending on the case, the impact can be major enough to completely undermine security measures intended to protect an organization’s security, processes, infrastructure.

F-Secure provided the following advice to help organizations prevent themselves from using counterfeit devices: 

  • Source all your devices from authorized resellers. 
  • Have clear internal processes and policies that govern procurement processes. 
  • Ensure all devices run the latest available software provided by vendors. 
  • Make note of even physical differences between different units of the same product, no matter how subtle they may be.