When an I.T. company asked Finnish cybersecurity firm F-Secure to analyze some of its equipment last fall, the client wasn’t worried about a new malware infection or recent breach. Instead, it had discovered that some of its core Cisco devices—the ones responsible for routing data as it zipped through its internal network—were counterfeits that had been lurking undetected in its infrastructure for weeks.
Fake Cisco devices are relatively common, largely because of the company’s ubiquity. Cisco has a whole brand-protection division dedicated to working with law enforcement, and it offers tools that help customers verify the legitimacy of their equipment. Still, bogus Cisco products are pervasive, and they’re big business for scammers.
A detailed teardown of counterfeits, though, is a special opportunity for researchers to understand how they could be compromised for digital attacks. The units F-Secure analyzed posed as Cisco Catalyst 2960-X Series switches—trusted devices that connect computers on an internal network to route data between them. In this case, it appears the fakes were created simply for profit. But the privileged network position they hold could have been exploited to place a so-called backdoor to let attackers steal data or spread malware.
“It’s like when you have a fake Rolex these days—unless you actually open it and look at the movement, it’s really difficult to tell,” says Andrea Barisani, head of hardware security at F-Secure.
Cisco encourages customers to buy equipment from the company itself or authorized resellers. In practice, though, procurement chains can balloon in the open market, and network equipment vendors can inadvertently end up with counterfeits.
The fake switches the researchers analyzed had worked normally until a routine software update essentially bricked them, tipping off the F-Secure client that something was amiss. In their analysis, the F-Secure researchers found subtle cosmetic differences between the counterfeit devices and a genuine Cisco 2960-X Series switch used for reference. Small labels, like numbers next to ethernet ports, were misaligned, and the fake devices were missing a holographic sticker Cisco puts on the real units. F-Secure points out that some forgeries have this sticker, but devices that don’t are almost certainly fake.
“Counterfeit products pose serious risks to network quality, performance, safety, and reliability,” a Cisco spokesperson said in a statement. “To protect our customers, Cisco actively monitors the global counterfeit market as well as implements a holistic and pervasive Value Chain Security Architecture comprised of various security controls to prevent counterfeiting.”
The F-Secure team found some small differences and indications of tampering on the devices’ circuitboards themselves, but there was a particular divergence that stood out immediately. One of the counterfeit devices had a very obvious extra memory chip on the board. After more investigation, the researchers realized that the other sample counterfeit their client had sent had a more subtle and sophisticated version of that modification to achieve the same goal. Through digital forensic analysis, F-Secure discovered that both versions of the hack exploited a physical flaw in the switch’s design to bypass Cisco’s integrity checks. The objective was to bypass Cisco’s Secure Boot feature, which stops a device from booting up if it has been compromised or isn’t legitimate.
“What we know is that an authentication mechanism is implemented in the main application that is able to detect that the software is running on counterfeit hardware,” says Dmitry Janushkevich, a senior hardware security consultant at F-Secure who led the research. “Likely, the counterfeiters either were not able to figure it out or the authentication method was good enough so they could not work around, buy, or forge that part. Otherwise they would be able to produce a perfect clone. Therefore, they chose the only option remaining, which is bypassing Secure Boot.”
The workaround doesn’t quite create the perfect clone either, because the Cisco software running on the switches—real, but pirated Cisco code—still needed to be “patched in memory,” or manipulated once the device was tricked into booting up to make everything compatible and pass Cisco’s software integrity checks. Technically this means that the changes to the device weren’t “persistent,” because they needed to run again, as if for the first time, with every reboot of the device. In practice, though, the workarounds were successful—at least until Cisco pushed an update that inadvertently rendered the counterfeits inoperable.