Almost four years ago, STH published Investigating fake Intel i350 network adapters. Since then, we have heard of numerous reports of counterfeit products being sold on Amazon and eBay. This week, we had a reader show us, in person, what he was shipped as a legitimate Intel adapter purchased on Amazon.com (likely from a marketplace seller.) For those who are not familiar, it is easy to assume this is a genuine part. When our reader tried using iPXE, a network booting tool, with the NIC, it failed even though genuine cards work without issue. In this article, we are going to show some signs of his counterfeit card so you can apply a critical eye to cards you may buy.
Intel Gigabit CT Desktop Adapter Background
First a quick background. The Intel Gigabit CT Adapter is considered a desktop gigabit Ethernet adapter. First launching in Q3, 2008, it is a venerable design but unlike other desktop adapters of its era, it has something important. The Intel Gigabit CT Adapter is built around an Intel 82574L NIC. At STH, in the first five years of the site, we saw the Intel 82574L become the de facto single port 1GbE solution for servers. The NICs were simply everywhere embedded on motherboard and in add-on card slots.
Since there were years of servers with these parts before they were replaced by the Intel i210-at NIC, they have a unique property: popularity. These NICs have enjoyed over a decade of widespread support in operating systems. If you wanted a 1GbE connection to “just work” even if an OS did not have your 100GbE adapter drivers, the Intel Gigabit CT Adapter with its Intel 82574L was a popular choice because they were inexpensive.
These are a single port, low profile PCIe Gen1.1 x1 NICs that yielded deployment versatility. Almost every server has a PCIe x1 slot or larger. Power consumption is a meager sub-2W so they run cool with minimal airflow. With an onboard server NIC, these cards are still widely used today. We have 1-2 in each lab location as “just in case” NICs.
Price wise, we are not talking top-bin networking in 2019. Retail has been in the $35 range for years making them inexpensive backups to have. The Intel 82574L chip itself I remember being in the $1-2 range years ago so Intel and its partners can build a PCB around the chips and sell with a good margin in the $35 range.
That would be all well and good, except there is so much margin that even these low-end parts have counterfeits showing up and being sold on Amazon and eBay masquerading as legitimate parts.
A Counterfeit Intel Gigabit CT Desktop Adapter from Amazon
Our reader showed us a side-by-side of the counterfeit Intel Desktop CT Desktop adapters. The fake did not start with the card itself. Instead, the fake started with the brown box.
Those large black printed brackets make it looks like an Intel box, as does the “EXPI9301CT” label. The large “INTEL 1g NIC” looks strange as Intel teams love their product numbers. We also see “Intel Gigabit CT PCI-E Network Adapter EXPI9301CTBLK” on the middle label, followed by something strange. In a different font and a different size it says “New.” Intel makes new products so it does not label their products as new.
Frankly, for the person picking this box in, for example, an Amazon warehouse, there would be little clue this was a counterfeit. Even seeing the cards themselves, it would be hard to see.
Moving to the cards themselves, here is what the top of the cards looks like. The top card is counterfeit, the bottom is the genuine part:
One can fairly easily see that some components and the PCBs are different. The Intel 82574L is shinier on the counterfeit. The STH reader we met posited that it could be an effort to make it look real and new. He also pointed out a glaring item, the Intel logo. The Intel logo on the genuine part is much higher resolution than the counterfeit part, as are some of the other markings. Intel is a large organization and has access to good silkscreening equipment. It appears as though the team that made the counterfeit card went through a lot of effort to make similar markings, but did not have the same equipment to make them look right.
Here is what the back of the cards looks like:
You can clearly see a few different PCB markings and labels. The PCB markings are identical yet the PCB’s themselves are very different if you look at visible traces. The Yottamark label is on the genuine one and we often tell folks to look for that. Also, one can see the “Made in Thailand” sticker that is required to show the country of origin for international trade. One can also see the do not throw away sticker since this card should go in an e-waste recycling bin. One you can tell has all of the disclosures you would expect from a large multi-national company’s product, the other does not.
One major implication here is that there are compliance marks replicated on the counterfeit parts. For example, the “CE” means “Conformité Européene” french for European Conformity. The Intel names are being used without permission. The PCI Express trademark is being used. Intel likely goes into the FCC compliance process, the counterfeit cards likely do not despite having markings on the front side and so forth.
Just being clear, Amazon is not the only seller impacted by this. Here is a great example from eBay with over 200 sold at the time of this writing.
At the lower end of the market, where this NIC plays, there is a risk that many of these cards are not being reported even if identified as counterfeit. The reader who showed these two cards said something along the lines of “for $20 I am not going through the hassle of returning it.” The problem with users not reporting fakes is that it does not help marketplace sites like Amazon, eBay, and Newegg identify patterns. For many users, they do not know or the cards work fine so they do not report them.
Intel’s forensic team can track the actual chips, but given the proliferation of using Intel’s product names in conjunction with these parts, it seems as though Intel is not serious about cleaning up these small grey markets.
STH readers and I are always up for a deal. Remember, a compromised NIC is an enormous security risk. Likewise, there are plenty of reports that “fake” NICs can experience premature failure. We have been hearing stories of some features not working as well.
Frankly, if you are OK with the security risk, the potential of failure, and lack of some features/ functionality, I have no problem with vendors selling lower-cost parts. Intel sells NIC chips and plenty of legitimate vendors assemble their own cards selling them under their own brands.
What is not OK is when these cards, like the one from our example above, are marked with a product name from Intel and sold as legitimate parts, that can be harmful. Having personally seen hundreds of these cards, it is easy to spot the fake. The outer box we were shown, along with the card markings makes it clear the manufacturer of these cards is trying to make them look legitimate. That is not OK.
Our advice: check your NICs carefully when purchasing them through a third-party seller, even if they are well-known. While we covered just about the lowest-end part out there, these cards exist across lines and we have seen even XL710 40GbE cards that cost hundreds of dollars follow a similar pattern.
Look for the Yottamark at minimum before you buy an Intel-brand NIC. If the pricing is too good to be true, then it likely is.