INTRODUCTION
Producing counterfeit products is, and always has been, a great business if you don’t mind being on the wrong side of the law. There’s no need to invest in a costly R&D process, and no need to select the best performing and looking materials; the only criterion is the cost of manufacture. This is why we see many imitations of expensive products on the market, and are likely to continue to see them being made and sold at a fraction of original’s price.
Network hardware designed, manufactured, and sold under the Cisco brand is a perfect example of this. Having an excellent reputation because of their great engineering, these products sell at a premium price point.
Naturally, this encourages some to try and produce counterfeits as it’s a way of making easy money. Stories of such exploits abound in the media: a gang reportedly exporting1 US$ 10 million worth of gear to the US, the FBI seizing shipments2 of fake hardware, and court rulings being issued3 to stop the manufacturers. What does Cisco do to combat fraud? Actually, a lot. Cisco has a dedicated Brand Protection organization whose purpose is to defend against counterfeit and gray market activities. They partner with customs teams and regional governments all over the world with success. In April 2019, they seized $626,880 worth of counterfeit Cisco products in one day.4However, despite successful operations Cisco hasn’t been able to stop fraud fully. If there’s an opportunity to make a fast buck, there’ll always be someone willing to take the risk.
In fall 2019, an IT company found some network switches failing after a software upgrade. The company would find out later that they had inadvertently procured suspected counterfeit Cisco equipment. Counterfeit devices quite often work smoothly for a long time, which makes it hard to detect them. In this particular case, the hardware failure initiated a wider investigation to which the F-Secure Hardware Security team was called and asked to analyze the suspected counterfeit Cisco Catalyst 2960-X series5 switches. This initiated a research project with the following goals:
• Verify no extra functionality such as “backdoor access” was introduced.
• Understand how and why counterfeit devices bypass the platforms authentication security control.
Naturally, as it’s not easy to tell genuine and counterfeit devices apart, to verify whether any kind of “backdoor” functionality existed was also not easy, as it required a considerable amount of technical investigative work.
Ultimately, we concluded, with a reasonable level of confidence, that no backdoors had been introduced.
Furthermore, we identified the full exploit chain that allowed one of the forged products to function: a
previously undocumented vulnerability in a security component which allowed the device’s Secure Boot
restrictions to be bypassed.
This paper details the process which led to this conclusion and shares the technical knowledge gained during this journey.
While in this case no “backdoors” were identified, the fact the security functions were bypassed means the security posture of the device was weakened. This could allow attackers who have already gained code execution via a network-based attack, for example, an easier way to gain persistence, and therefore impact the security of the whole organization
.1 https://www.pcworld.com/article/2920032/uk-gang-arrested-for-exporting-10-million-of-fake-cisco-gear-to-us.html
2 https://www.infoworld.com/article/2653167/fbi-worried-as-dod-sold-counterfeit-cisco-gear.html
3 https://www.sdxcentral.com/articles/news/cisco-wins-latest-battle-in-war-against-chinese-counterfeiters/2019/12/
4 https://blogs.cisco.com/partner/perform-transform-and-protect
5 https://www.cisco.com/c/en/us/support/switches/catalyst-2960-x-series-switches/series.html#~tab-documents