Cybersecurity solutions provider F-Secure published a report detailing how attackers look for backdoors via counterfeit devices. In its investigation report, F-Secure stated that it discovered a pair of counterfeit network switches impersonating the Cisco network switches. The counterfeit devices were designed to bypass authentication processes to system components. The report also highlighted the security challenges faced by organizations with counterfeit components in their IT infrastructure.
Counterfeit Cisco Switches
F-Secure researchers investigated two counterfeit versions of the Cisco Catalyst 2960-X series switches. The counterfeit devices were discovered by an IT company after they experienced a hurdle in software updates. F-Secure performed its analysis on the counterfeits to determine the security implications. According to the investigation, the counterfeit devices did not have any backdoor functionalities, but had the ability to bypass security controls. The counterfeits were physically and operationally similar to an authentic Cisco switch. Threat actors either invested heavily in imitating Cisco’s original design or had access to proprietary engineering documentation to create fake copy, the report said.
F-Secure also recommended certain measures to help organizations to avoid using counterfeit components, and these include:
- Source all your components from authorized resellers
- Have clear internal processes and policies that govern procurement processes
- Ensure all components run the latest available software provided by vendors
- Make note of physical differences between different units of the same product, no matter how subtle they may be
Andrea Barisani, F-Secure Consulting’s Head of Hardware Security, stated that enterprises face challenges while mitigating the security issues concerning counterfeit hardware. “Security departments can’t afford to ignore hardware that’s been tampered with or modified, which is why they need to investigate any counterfeits that they’ve been tricked into using. Without tearing down the hardware and examining it from the inside, organizations cannot possibly know if a modified device had a larger security impact. And depending on the case, the impact can be serious enough to completely undermine security measures intended to protect an organization’s security, processes, infrastructure, etc.,” Barisani added.