Russell Handorf

VAR does it come from? CISCO Hardware Espionage

When an organization looks at the threats to their infrastructure, they generally categorize them into two main headers: internal and external. And when they think about the internal threats they generally consider the rogue employee as the highest threat, and outsiders being their competition. I want to discuss another threat that is a combination of the two that is presented to all organizations by one of their trusted sources. This threat is the Nation State, the trusted source is your Value Added Reseller and the method is counterfeit hardware.

I will not get into the motives or justifications as to why a Nation State would have interest in infiltrating a Mom and Pop shop as there is no solid information to report; as this is all speculative. However, the Mom and Pop shop should be just as concerned as the US Government and large corporations are about the problem at hand. There is an unclassified FBI presentation that I confirmed is legitimate that has been released discusses the fear that China is intentionally having counterfeit Cisco hardware sold in the United States. In the presentation, the FBI discusses four cases that they had investigated where this hardware has been discovered even in classified networks.

The more serious statements made in this presentation are on slide 30, where they claim about 10% of the information technology hardware that is sold globally is counterfeit and it is being sold through legitimate channels (KPMG is the cited source) for the past couple of years. In the case of Cisco, this counterfeit hardware is sold through their Cisco Gold and Silver Partners program. Other vendor vetting processes are just as flawed allowing this hardware to enter into your IT infrastructure.

Why should the Mom and Pop shops be concerned? Short of having hardware in your infrastructure that is not working as advertised, there are issues regarding warranties, support and the products lifetime (according to the FBI report, some of these counterfeit devices catch on fire). For the larger organizations, you don’t know for sure that the highly secured VPN tunnel you’ve configured really and truly is what you just configured.

Is the problem limited to Cisco equipment? Of course not as indicated by the report released by KPMG. Even the raw components, such as memory and CPU’s, are being copied for inclusion into your infrastructures devices. So though that device really may be from the vendor who is standing behind it, the storage medium within the device is counterfeit. Furthermore, counterfeit equipment is not just coming from China, but it also comes from many other countries as well.

So enough with the FUD, what can you do to protect against this growing threat? Here are a few suggestions that I have been able to gleam:

  1. Pay attention to the failure rate of your equipment along with the batch numbers for it, and log these events. If there is a high rate of failure, this may be a symptom of a counterfeit device.
  2. Inspect the hardware thoroughly; any signs of defects or “sloppy construction” could be reasons to raise a flag.
  3. Make sure your VAR tests all equipment and provides a complete supply chain of the devices for your review.
  4. Join one of the many organizations that will help communicate these risks to you. You already know which ones they are, but for those who don’t, here’s a quick short list: InfraGard, ECTF, HTCIA, and ISSA.

More Resources:

FBI Criminal Investigation: Cisco Routers – http://www.abovetopsecret.com/forum/thread350381/pg1

KPMG Managing the Risks of Counterfeiting the Information Technology Industry – http://www.agmaglobal.org/press_events/press_docs/Counterfeit_WhitePaper_Final.pdf

Chinese Counterfeit Cisco Network Routers Targeted In North America – http://www.chinatechnews.com/2008/03/03/6443-chinese-counterfeit-cisco-network-routers-targeted-in-north-america/

Fake network gear – http://www.networkworld.com/news/2006/102306counterfeit.html

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*