It used to be said that imitation is the sincerest form of flattery. Apparently, to imitate someone is to pay that person a genuine compliment (most times). That may work with personalities, but when it comes to things other than people, like clothing, fashion accessories, software and electronic gadgets, an entire industry has grown profiting from the sale of counterfeit products.
On 15 July, Dmitry Januskevich, senior consultant and part of F-Secure Consulting’s hardware security team, published the paper, The Fake Cisco – Hunting for backdoors in counterfeit Cisco devices.
The paper details the process that networking vendor Cisco undertook following the discovery in the fall of 2019 of a failure in some of its switches after a software upgrade.
According to Januskevich, well-made counterfeit devices can stay hidden for a long time. F-Secure’s Hardware Security team was hired to analyse the suspected counterfeit Cisco Catalyst 2960-X series switches.
Given the potential for the widespread used of counterfeit enterprise gear by enterprises – knowingly or not – FutureCIO spoke to Januskevich to look at the trend.
Do people purposely go out to buy counterfeit devices?
Dmitry Januskevich: I think we are confident with our investigation that there was no malicious intent in making those devices. That being said, it is not like they cannot be turned into malicious ones.
When does price come into a legitimate buying process?
Dmitry Januskevich: Well there is always the issue, right? If you're looking to buy for example 20 switches like this one and each one costs something like $3,000. Then of course, you are a bit conscious about the price of things you buy, right? So naturally, you try to find a way to cut the costs down and look for a cheaper deal. But it is very dangerous.
What type of threats would such an equipment pose to the enterprise?
Dmitry Januskevich: Consider a typical attack: on such a device, someone finds a zero-day vulnerability, and exploits it and gains initial access to the device over the network. Then they would really like to keep their foot there and gain persistence.
This is where the security posture of the device comes into play. Because this device like a counterfeit device is sort of a broken from the start, all the security features have been bypassed already.
This makes it much easier for an attacker to get persistence on such a device. Of course, they first need to gain access to it, but we always see that Cisco patches lots of vulnerabilities each and every year in network devices they make.
How can enterprises mitigate the risks of accidentally acquiring counterfeit devices – even if through legitimate sources?
Dmitry Januskevich: From the procurement side of things, we recommend to always purchase equipment from the authorized dealers. This ensures that you don't get any kind of a shady deal on it and you can always talk to your dealer and find out what is wrong with the device.
on the counterfeit switch. On the genuine device, it is bright yellow.
This brings us to the second point that if you find out that there is something wrong with your device, and secondly talk to the manufacturer and seek their help in understanding what is going on with your device.
For example, in this case, we had the CISO of the organization, took it to the manufacturer, talked to them and found out that the devices were not actually manufactured by the original manufacturer, which is bad, of course, but now you know what the problem is.
It always recommended to keep an eye out for some strange occurrences, for example, device breaking down unexpectedly, things like that, you should always check the logs and maybe there is some hint as to what is wrong.
You should always…always check with the manufacturer or the dealer or together to see what the problem is and what could be done about it.
Do you see this trend of acquiring counterfeit devices continuing to happen in Asia particularly in organisations that do not have a mature set of policies for the acquisition of technologies?
Dmitry Januskevich: I think we should see this as a kind of a cat and mouse game. because technology is always improving as to attacks as to defences.
Counterfeiters are always forced to spend more effort on making the product more plausible for device because for example, if a buyer is not too well trained on spotting counterfeits, they don't really know what to look for, and how to check if the devices are genuine.
The counterfeiter doesn't have to spend too much effort on making fake products. On the other hand, where your average buyer is well educated, ask questions at all times, and they check with the manufacturer that they abide by underwriting, then the counterfeiters are forced to improve their efforts and spend more money and effort on making the product more plausible.
Any last tips?
Dmitry Januskevich: We always recommend to execute prudence and verify that the reseller you're buying from is actually authorized by the manufacturer to sell the gear, just to be sure that you're not buying anything strange and to not be enticed by the lower price.
Lower price means that there is something wrong with the device. Otherwise it would be sold just like that on the white market.
So be careful, stay vigilant and only buy from authorized dealers. Having clear procurement policies and processes also helps to avoid such a situation.
And before the devices are installed, update the software so they enter the service already patched. Regular patching should also be done when in service.
