Finnish cybersecurity company F-Secure released a report detailing its investigation into a pair of counterfeit Cisco network switches.
The investigation concludes that the forgeries were designed to bypass the processes that authenticate system components. Two different counterfeit versions of the Cisco Catalyst 2960-X switches were discovered by an IT company after a software update prevented them from working.
Investigators found that while the fakes didn’t have any backdoor-like functionality, they used various measures to trick security checks. For example, one of the units exploited what the research team considers a previously undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering.
“We discovered that the forgeries were designed to circumvent authentication measures, but we found no evidence to suggest the units presented any other risks,” says Dmitry Janushkevich, senior consultant in the security team material from F-Secure Consulting and lead author of the report. “The motivations of the counterfeiters were probably limited to making money selling the components. But we are seeing motivated attackers using the same type of approach for backdoor companies stealthily, which is why it is important to check carefully. any modified material. “
The counterfeits were physically and operationally similar to genuine Cisco switches. The engineering of the unit suggests that the counterfeiters either invested heavily in reproducing Cisco’s original design or had access to proprietary engineering documentation to help them create a compelling copy.
“Security services cannot afford to ignore material that has been tampered with or altered, which is why they must investigate any counterfeit they have been tricked into using,” said Andrea Barisani, head of security. hardware at F-Secure Consulting. “Without disassembling the hardware and thoroughly examining it, organizations can’t tell if a modified device has had a greater impact on safety. And depending on the case, the impact can be large enough to completely undermine security measures intended to protect security, processes, infrastructure, etc. organisation.”
F-Secure recommends that companies protect themselves by sourcing components only from authorized resellers, having clear internal processes and policies governing the sourcing processes, ensuring that all components are running as late as possible. software available from vendors and noting any physical differences between different units of the same product, no matter how subtle.
You can find the full report on the F-Secure site.