In a case with a happy ending, the components failed when patched. Otherwise the damage could have been much worse.
When an IT company applied security update patches to a pair of network switches, the latter devices promptly stopped working.
Upon investigation by hardware security specialists with cyber security provider F-Secure, it was ascertained that the network switches were counterfeit devices.
Furthermore, the counterfeits were designed to bypass processes that authenticate system components. While the counterfeits did not have any backdoor-like functionality, they did employ various measures to fool security controls.
For example, one of the units exploited what the research team believes to be a previously-undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering. Reported Dmitry Janushkevich, senior consultant of the Hardware Security team, F-Secure: “We found that the counterfeits were built to bypass authentication measures, but we didn’t find evidence suggesting the units posed any other risks. The counterfeiters’ motives were likely limited to making money by selling the components. But we see motivated attackers use the same kind of approach to stealthily backdoor companies, which is why it’s important to thoroughly check any modified hardware.”
How to ensure network hardware integrity
The counterfeits were physically and operationally similar to an authentic Cisco switch. One of the unit’s engineering suggests that the counterfeiters either invested heavily in replicating Cisco’s original design or had access to proprietary engineering documentation to help them create a convincing copy.
According to F-Secure Consulting’s Head of Hardware Security Andrea Barisani, organizations face considerable security challenges in trying to mitigate the security implications of sophisticated counterfeits such as the those analyzed in the report. “Security departments can’t afford to ignore hardware that’s been tampered with or modified, which is why they need to investigate any counterfeits that they’ve been tricked into using. Without tearing down the hardware and examining it from the ground up, organizations can’t know if a modified device had a larger security impact. And depending on the case, the impact can be major enough to completely undermine security measures intended to protect an organization’s security, processes, infrastructure, etc.”
F-Secure has the following advice to help organizations prevent themselves from using counterfeit components:
• Source all your components from authorized resellers
• Have clear internal processes and policies that govern procurement processes
• Ensure all components run the latest available software provided by vendors
• Make note of physical differences between different units of the same product, no matter how subtle they may be