This week, F-Secure Labs published some of their work looking for backdoors in counterfeit Cisco switches. The switches in question were counterfeit Cisco Catalyst 2960-X switches. For those who are unaware, the Cisco Catalyst 2960-X is a very popular switch and the particular model investigated are the Cisco WS-2960X-48TS-L models a mainstay 48x 1GbE + 4x SFP uplink model. Cisco sells these switches for much more than something like a MikroTik CRS354-48G-4S+2Q+RM, and for good reason given their support and reputation. Still, mature technology with high margins means that counterfeiters are in the supply chain.
Fake Cisco Catalyst 2960-X Switches
F-Secure had access to a genuine Catalyst 2960-X model along with two counterfeit models. The counterfeits were discovered when they suddenly stopped working with software updates. See if you can guess which one is real and which is fake based on the below three shots.
Of course, go read the paper (link below) but the one on the left above is the genuine Cisco switch. That requires opening a switch up which few (if any) are going to do. Looking at the exterior of the chassis, there are some subtle differences:
There the markings and LED indicators are off, but only by a small degree. Likewise, below one can see some slight differences as well:
The bottom line here is that it would be difficult to tell which switch is genuine and which is not based on the exterior view. Also, these companies are engineering PCB so getting better at exterior color matching and such is a relatively easier problem to solve.
In the paper, the F-Secure team discusses some of the hardware modifications that were made in an attempt to circumvent hardware/ software checks for validity. Here is the most egregiously obvious example:
That was found on the bottom of the switchboard which is even harder to spot. Realistically, very few take apart a Cisco Catalyst switch to see the bottom of the PCB.
The F-Secure team highlights a few more examples. We wish that they would have had more product photography to see if there were other telltale signs of a counterfeit. The team also goes into detail about how they searched for backdoors in the firmware yet did not find any.
If you are interested in this area, the F-Secure report is 32 pages and great. Check it out here. This is also a reason that we are seeing computer manufacturers, components suppliers, and large customers focus on securing the supply chain. We have even seen this at the component level with Counterfeit Intel Xeon E5 CPUs Invade Amazon and Investigating fake Intel i350 network adapters. For a company such as Cisco, having these products in the field that can fail can damage its reputation especially if the customer is unaware they are using a counterfeit device.
While F-Secure did not find backdoors, making this a hardware sale profit-oriented endeavor, it is not out of the question that these can be used for other purposes in the future.