This is a large-scale counterfeiting case that has been uncovered by researchers at F-Secure. Switches labeled Cisco, and which were not, contained mechanisms to bypass authentication controls.
The story takes place in a company whose IT has undertaken to patch its Cisco switches. As often happens with updates, some devices may experience malfunctions after being refreshed. Nothing new, it happens often. But in the case of our company’s models, the Cisco Catalyst 2960-X series switches, they just stopped working. Intrigued, the company called on a specialized integrator who discovered the pot of roses: the switches were counterfeits.
The matter could not stop there. The company, concerned about the security of its data, wanted to know more about the security implications. It called on F-Secure, which dispatched its hardware security team from its F-Secure Consulting branch. After careful analysis, the specialists concluded that the counterfeit switches were designed to bypass the authentication process for system components. Experts have investigated two counterfeit versions of the Cisco Catalyst 2960-X Series switches.
Counterfeiters who have technical and industrial means
” These counterfeits were similar to authentic Cisco switches, both physically and operationallyexplains the report.One of the counterfeit units was particularly faithful to the original: either the counterfeiters invested massively in the reproduction of the original design, or they had access to exclusive technical documentation allowing them to create a convincing copy”
At this point, and to say the least, it is that these forgers have the means to gather technical data, regardless of the process used: reverse engineering or industrial espionage. They also have the industrial means, and it takes an entire ecosystem, to make counterfeits almost as real as the originals. And on top of the market (dupes), they have not been deprived of arranging hidden accesses and openings which allow, to them or to groups of hackers loyal, or customers (because this kind of flaws sells very well on the Dark web), to take advantage of the boulevard to perpetrate their misdeeds.
According to the researchers, these counterfeits do not have backdoor functions. However, these devices employ various measures to circumvent security checks. “It seems, for example, that one of them is exploiting a 0-day vulnerability that can deceive boot processes, so that spoofed firmware is not detected“, Details the report.
“If it’s too beautiful, it’s that there is a wolf” … or more
“We discovered that these counterfeits could bypass authentication controls, but we found no evidence to suggest that these devices posed other risks.“Said Dmitry Janushkevich, senior consultant for F-Secure Consulting’s Hardware Security team and lead author of the report. “The counterfeiters’ motivations were probably limited to earning money by selling these components. But other malicious people use this same type of approach to install backdoors in companies. This is why it is important to carefully check all potentially counterfeit equipment”
There is no doubt that the company purchased these switches in good faith. Network hardware designed, manufactured and sold by legitimate OEMs is a very good example. Having an excellent reputation due to advanced engineering, these products sell at high prices. Prices that are too low should encourage caution. Also, the moral of this story is obvious: “if it is too good, it is that there is a wolf”. Except that in this case, there were two wolves, one much more dangerous for the sustainability of the business, because it offered a portal for access to IS and data infiltration.