Bad news: Your Cisco switch is a fake and an update borked it. Good news: It wasn't designed to spy on you
Autopsy finds rip-off gear is mainly about making coin, not bugging your network
Two types of fake Cisco switches – discovered after a software upgrade hobbled counterfeit gear at an unidentified IT firm – appear to have been designed for profit rather than espionage.
F-Secure Consulting's hardware security team disassembled the unauthorized Cisco Catalyst 2960-X series switches at the IT company's request, to understand how they worked and determine whether the organization's network had been compromised.
As described in a report [PDF] published on Wednesday, no backdoor functionality was found. However, the lookalike devices employed sophisticated techniques to bypass Cisco's security protection mechanisms.
Although the equipment's electronics are counterfeit, it still needs to load Cisco's IOS firmware to pass off as a genuine box to the user. However, IOS will perform various checks to make sure it is running on genuine hardware, and is appropriately licensed, and these need to be circumvented. F-Secure said it managed to identify the full exploit chain used by one of the fake boxes, involving a previously unknown vulnerability in a security component, to defeat this Secure Boot process.
Cisco last year patched a different Secure Boot vulnerability. A Cisco spokesperson told The Register it is looking into the F-Secure report and will alert customers if there's anything they need to be aware of.
Counterfeit units A and B proved to be substantially similar to genuine Cisco kit, but not identical. For example, neither included the holographic sticker Cisco applies to the circuit boards of its switches. A closer examination of the circuit boards showed that the copycats had different flash memory chips than the Cisco hardware and other variations, such as different Ethernet chips.
An analysis of the IOS software images on the counterfeit devices found them identical to the software on authorized hardware. That means, the researchers said, the IOS software was patched as it was loaded into RAM from flash by the bootloader to ensure the software would work on the rip-off hardware. The bootloader was customized by the counterfeiters to make the necessary changes to the firmware as it was loaded into memory; this bootloader was overwritten by a Cisco software upgrade with a genuine version of the loader, which knackered the machine – it could no longer boot properly.
Fancy some fishy-chips? Just order one of these sensors: Research shines light on suspect component sourcesREAD MORE
The two fake units used different tactics to neuter IOS's system integrity checks. "Counterfeit A contained 'add-on' circuitry which exploited a race condition in the SLIMpro ROM code to bypass SLIMpro software verification," the F-Secure report explains. "It did this by intercepting EEPROM control signals, replacing certain bytes in the image being loaded to modify software behavior."
SLIMpro is an AppliedMicro Trusted Management Module that provides encryption and authentication for network devices.
Counterfeit B, meanwhile, incorporated the add-on hardware functionality in Counterfeit A into its PCB design and replaced the EEPROM with an unknown integrated circuit.
The researchers say this suggests considerable resources were deployed to create the copy and they speculate that the forgers may have had access to either Cisco engineering documentation or invested enough in the tools to reproduce original PCB designs. The report does not address who might have made the fakes or where they might have been manufactured.
"Counterfeit products pose serious risks to network quality, performance, safety, and reliability," a Switchzilla spokesperson told The Register in an email, pointing to longstanding anti-counterfeiting efforts.
"We recommend customers purchase Cisco products from Cisco or through an authorized partner to ensure customers get genuine and authorized Cisco products."
"Such devices can pose considerable economical, operational and security risks," said Andrea Barisani, head of hardware security for F-Secure, in an email to The Register.
"From a purely economical perspective having counterfeit devices, in the long run, might end up being more costly than purchasing original devices (assuming the counterfeit are purchased at a discount in the first place). If anything because because support contracts or requests can be refused."
Then there are operational concerns, Barisani said, when units stop working due to firmware updates or issues not supported by vendors.
"From a security standpoint a counterfeit unit can operate outside the boundaries of legitimate and authenticated firmware," said Barisani.
"In the worst case scenario such firmware can incorporate intentional backdoors implanted to allow network traffic monitoring and tampering. Authenticity bypass implants, even without backdooring intents, can also introduce vulnerabilities that can undermine the original intended security measures of the vendor firmware."
While the two analyzed units showed no evidence of backdoors, Barisani said that remains a possibility with counterfeits. ®