When an I.T. company asked Finnish cybersecurity firm F-Secure to analyze some of its equipment last fall, the client wasn't worried about a new malware infection or recent breach. Instead, it had discovered that some of its core Cisco devices—the ones responsible for routing data as it zipped through its internal network—were counterfeits that had been lurking undetected in its infrastructure for weeks.
Fake Cisco devices are relatively common, largely because of the company's ubiquity. Cisco has a whole brand-protection division dedicated to working with law enforcement, and it offers tools that help customers verify the legitimacy of their equipment. Still, bogus Cisco products are pervasive, and they're big business for scammers.
A detailed teardown of counterfeits, though, is a special opportunity for researchers to understand how they could be compromised for digital attacks. The units F-Secure analyzed posed as Cisco Catalyst 2960-X Series switches—trusted devices that connect computers on an internal network to route data between them. In this case, it appears the fakes were created simply for profit. But the privileged network position they hold could have been exploited to place a so-called backdoor to let attackers steal data or spread malware.
"It’s like when you have a fake Rolex these days—unless you actually open it and look at the movement, it’s really difficult to tell," says Andrea Barisani, head of hardware security at F-Secure.
Cisco encourages customers to buy equipment from the company itself or authorized resellers. In practice, though, procurement chains can balloon in the open market, and network equipment vendors can inadvertently end up with counterfeits.
The fake switches the researchers analyzed had worked normally until a routine software update essentially bricked them, tipping off the F-Secure client that something was amiss. In their analysis, the F-Secure researchers found subtle cosmetic differences between the counterfeit devices and a genuine Cisco 2960-X Series switch used for reference. Small labels, like numbers next to ethernet ports, were misaligned, and the fake devices were missing a holographic sticker Cisco puts on the real units. F-Secure points out that some forgeries have this sticker, but devices that don't are almost certainly fake.
"Counterfeit products pose serious risks to network quality, performance, safety, and reliability," a Cisco spokesperson said in a statement. "To protect our customers, Cisco actively monitors the global counterfeit market as well as implements a holistic and pervasive Value Chain Security Architecture comprised of various security controls to prevent counterfeiting."
The F-Secure team found some small differences and indications of tampering on the devices' circuitboards themselves, but there was a particular divergence that stood out immediately. One of the counterfeit devices had a very obvious extra memory chip on the board. After more investigation, the researchers realized that the other sample counterfeit their client had sent had a more subtle and sophisticated version of that modification to achieve the same goal. Through digital forensic analysis, F-Secure discovered that both versions of the hack exploited a physical flaw in the switch's design to bypass Cisco's integrity checks. The objective was to bypass Cisco's Secure Boot feature, which stops a device from booting up if it has been compromised or isn't legitimate.
"What we know is that an authentication mechanism is implemented in the main application that is able to detect that the software is running on counterfeit hardware," says Dmitry Janushkevich, a senior hardware security consultant at F-Secure who led the research. "Likely, the counterfeiters either were not able to figure it out or the authentication method was good enough so they could not work around, buy, or forge that part. Otherwise they would be able to produce a perfect clone. Therefore, they chose the only option remaining, which is bypassing Secure Boot."
The workaround doesn't quite create the perfect clone either, because the Cisco software running on the switches—real, but pirated Cisco code—still needed to be "patched in memory," or manipulated once the device was tricked into booting up to make everything compatible and pass Cisco's software integrity checks. Technically this means that the changes to the device weren't "persistent," because they needed to run again, as if for the first time, with every reboot of the device. In practice, though, the workarounds were successful—at least until Cisco pushed an update that inadvertently rendered the counterfeits inoperable.
Beyond those shenanigans, though, the researchers found no evidence that the fakes were designed to spy on the switches or backdoor them for attacker access. That's good news for F-Secure's client, but the researchers caution that the counterfeit devices are a perfect blueprint for an attack.
"The impact of a truly malicious implant on such a device can be massive, because an attacker is basically in control of that network at that point," Barisani says. "In the end, we’re very confident that we found everything that was going on in these devices, though we never say 100 percent in the security world. However, these same techniques are the ones that could be used or are used when someone wants to make a malicious device. You often see people theorizing about supply-chain attacks, and this could be one form of supply-chain attack."
The researchers informed Cisco of the hardware vulnerability that the counterfeits relied on. The company says it is "looking into the researcher’s findings with priority," and that it will notify customers of any relevant conclusions. Attackers would need physical device access to exploit the flaw, since it's a hardware issue, but the researchers point out that it isn't just a concern for counterfeit devices. The vulnerability is in genuine Cisco hardware, and it could be used to undermine protections like Secure Boot in real products too. And because it's a hardware flaw, it's unlikely that Cisco can fix it in devices that have already been manufactured and deployed.
Longtime Cisco security researcher Ang Cui, who is CEO of the embedded-device security firm Red Balloon, says the F-Secure research is an important reminder of the threat from counterfeit devices. He points out, though, that the fakes the firm analyzed are low-end switches that don't cost a lot in the context of enterprise network equipment—about $600 each in the current market. Given that the margins on such a product would be fairly low for Cisco, not to mention forgers, Cui says he is surprised there was nothing more nefarious happening.
"It’s very interesting, because that switch is dirt cheap, a workhorse, nothing fancy," Cui says. "I don’t think anybody who has business sense would counterfeit this versus some other Cisco gear. But the advantage of compromising a switch for an attacker is that it directly connects to computers on the network. So if people went through the trouble to counterfeit these things, I would think they would make a malicious implant in the hardware, the switching fabric where all the data flows."
As part of its work, F-Secure tried to help its client trace where the counterfeits came from, but the procurement history is murky. Which is exactly why bootleg devices could be used in supply-chain attacks. Instead of needing to compromise Cisco's operations or those of another company, attackers can simply sully the last link: distribution.
- Behind bars, but still posting on TikTok
- My friend was struck by ALS. To fight back, he built a movement
- Deepfakes are becoming the hot new corporate training tool
- America has a sick obsession with Covid-19 polls
- Who discovered the first vaccine?
- 👁 Prepare for AI to produce less wizardry. Plus: Get the latest AI news
- 🎙️ Listen to Get WIRED, our new podcast about how the future is realized. Catch the latest episodes and subscribe to the 📩 newsletter to keep up with all our shows
- 📱 Torn between the latest phones? Never fear—check out our iPhone buying guide and favorite Android phones
