Counterfeit Cisco Switches Investigation Finds Security Posture Weakened

An investigation into counterfeit Cisco switches, done by F-Secure, found a mechanism to bypass authentication measures but no other major security risks, the security company announced Wednesday.

The F-Secure report – The Fake Cisco, Hunting for backdoors in counterfeit Cisco devices – examines a pair of counterfeit Cisco network switches. The report of failing network switches was from an IT company last fall.

F-Secure’s Dmitry Janushkevich

“We found that the counterfeits were built to bypass authentication measures, but we didn’t find evidence suggesting the units posed any other risks,” said Dmitry Janushkevich, a senior consultant with F-Secure Consulting’s hardware security team, and lead author of the report. “The counterfeiters’ motives were likely limited to making money by selling the devices. But we see motivated attackers use the same kind of approach to stealthily back-door companies, which is why it’s important to thoroughly check any modified hardware.”

The IT [user] company uncovered a problem when a software upgrade of Cisco Catalyst 2960-X series switches failed. This is a common outcome of forged/modified hardware to new software. The IT [user] company unknowingly bought suspected counterfeit Cisco equipment. They didn’t discover it until they requested a replacement unit.

The hardware failure led to a broader investigation and the F-Secure Hardware Security team was called in. The objective of the investigation was to determine the security implications.

F-Secure in Pursuit

One research goal was to verify that no extra functionality such as “backdoor access” was introduced. Another was to understand how and why counterfeit devices bypass the platform’s authentication security control.

“Ultimately, we concluded, with a reasonable level of confidence, that no backdoors had been introduced. Furthermore, we identified the full exploit chain that allowed one of the forged products to function: a previously undocumented vulnerability in a security component which allowed the device’s Secure Boot restrictions to be bypassed,” the report authors stated.

The report notes that the counterfeits were physically and operationally similar to an authentic Cisco switch. That’s why users don’t know there’s a problem, until odd behavior surfaces. This suggests that the counterfeiters either invested heavily in replicating Cisco’s original design or had access to proprietary engineering documentation to help them create a convincing copy.

According to F-Secure Consulting’s head of hardware security, Andrea Barisani, organizations face considerable security challenges in trying to mitigate the security implications of sophisticated counterfeits such as the those analyzed in the report.

F-Secure has the following advice to help organizations prevent themselves from using counterfeit devices.

• Source all your devices from authorized resellers.
• Have clear internal processes and policies that govern procurement processes.
• Ensure all devices run the latest available software that vendors provide.
• Make note of physical differences between different units of the same product, no matter how subtle they may be.

Cisco Brand Protection

Cisco brand protection efforts include working with law enforcement and government to combat crime and protect consumers.

Cisco’s Oliver Tuszik

At Cisco Partner Summit 2019, global channel chief Oliver Tuszik talked about counterfeit and gray market products.

“We take this very seriously. Ninety-nine [point] nine percent of partners play by the rules. They compete but they stick to the rules. We will continue to go after those people [who don’t]” he said.

Cisco has a brand protection team that talks to customers about the risk of buying fake Cisco products.