Almost four years ago, STH published Investigating fake Intel i350 network adapters. Since then, we have heard of numerous reports of counterfeit products being sold on Amazon and eBay. This week, we had a reader show us, in person, what he was shipped as a legitimate Intel adapter purchased on Amazon.com (likely from a marketplace seller.) For those who are not familiar, it is easy to assume this is a genuine part. When our reader tried using iPXE, a network booting tool, with the NIC, it failed even though genuine cards work without issue. In this article, we are going to show some signs of his counterfeit card so you can apply a critical eye to cards you may buy.
Intel Gigabit CT Desktop Adapter Background
First a quick background. The Intel Gigabit CT Adapter is considered a desktop gigabit Ethernet adapter. First launching in Q3, 2008, it is a venerable design but unlike other desktop adapters of its era, it has something important. The Intel Gigabit CT Adapter is built around an Intel 82574L NIC. At STH, in the first five years of the site, we saw the Intel 82574L become the de facto single port 1GbE solution for servers. The NICs were simply everywhere embedded on motherboard and in add-on card slots.
Since there were years of servers with these parts before they were replaced by the Intel i210-at NIC, they have a unique property: popularity. These NICs have enjoyed over a decade of widespread support in operating systems. If you wanted a 1GbE connection to “just work” even if an OS did not have your 100GbE adapter drivers, the Intel Gigabit CT Adapter with its Intel 82574L was a popular choice because they were inexpensive.
These are a single port, low profile PCIe Gen1.1 x1 NICs that yielded deployment versatility. Almost every server has a PCIe x1 slot or larger. Power consumption is a meager sub-2W so they run cool with minimal airflow. With an onboard server NIC, these cards are still widely used today. We have 1-2 in each lab location as “just in case” NICs.
Price wise, we are not talking top-bin networking in 2019. Retail has been in the $35 range for years making them inexpensive backups to have. The Intel 82574L chip itself I remember being in the $1-2 range years ago so Intel and its partners can build a PCB around the chips and sell with a good margin in the $35 range.
That would be all well and good, except there is so much margin that even these low-end parts have counterfeits showing up and being sold on Amazon and eBay masquerading as legitimate parts.
A Counterfeit Intel Gigabit CT Desktop Adapter from Amazon
Our reader showed us a side-by-side of the counterfeit Intel Desktop CT Desktop adapters. The fake did not start with the card itself. Instead, the fake started with the brown box.
Those large black printed brackets make it looks like an Intel box, as does the “EXPI9301CT” label. The large “INTEL 1g NIC” looks strange as Intel teams love their product numbers. We also see “Intel Gigabit CT PCI-E Network Adapter EXPI9301CTBLK” on the middle label, followed by something strange. In a different font and a different size it says “New.” Intel makes new products so it does not label their products as new.
Frankly, for the person picking this box in, for example, an Amazon warehouse, there would be little clue this was a counterfeit. Even seeing the cards themselves, it would be hard to see.
Moving to the cards themselves, here is what the top of the cards looks like. The top card is counterfeit, the bottom is the genuine part:
One can fairly easily see that some components and the PCBs are different. The Intel 82574L is shinier on the counterfeit. The STH reader we met posited that it could be an effort to make it look real and new. He also pointed out a glaring item, the Intel logo. The Intel logo on the genuine part is much higher resolution than the counterfeit part, as are some of the other markings. Intel is a large organization and has access to good silkscreening equipment. It appears as though the team that made the counterfeit card went through a lot of effort to make similar markings, but did not have the same equipment to make them look right.
Here is what the back of the cards looks like:
You can clearly see a few different PCB markings and labels. The PCB markings are identical yet the PCB’s themselves are very different if you look at visible traces. The Yottamark label is on the genuine one and we often tell folks to look for that. Also, one can see the “Made in Thailand” sticker that is required to show the country of origin for international trade. One can also see the do not throw away sticker since this card should go in an e-waste recycling bin. One you can tell has all of the disclosures you would expect from a large multi-national company’s product, the other does not.
One major implication here is that there are compliance marks replicated on the counterfeit parts. For example, the “CE” means “Conformité Européene” french for European Conformity. The Intel names are being used without permission. The PCI Express trademark is being used. Intel likely goes into the FCC compliance process, the counterfeit cards likely do not despite having markings on the front side and so forth.
Just being clear, Amazon is not the only seller impacted by this. Here is a great example from eBay with over 200 sold at the time of this writing.
At the lower end of the market, where this NIC plays, there is a risk that many of these cards are not being reported even if identified as counterfeit. The reader who showed these two cards said something along the lines of “for $20 I am not going through the hassle of returning it.” The problem with users not reporting fakes is that it does not help marketplace sites like Amazon, eBay, and Newegg identify patterns. For many users, they do not know or the cards work fine so they do not report them.
Intel’s forensic team can track the actual chips, but given the proliferation of using Intel’s product names in conjunction with these parts, it seems as though Intel is not serious about cleaning up these small grey markets.
STH readers and I are always up for a deal. Remember, a compromised NIC is an enormous security risk. Likewise, there are plenty of reports that “fake” NICs can experience premature failure. We have been hearing stories of some features not working as well.
Frankly, if you are OK with the security risk, the potential of failure, and lack of some features/ functionality, I have no problem with vendors selling lower-cost parts. Intel sells NIC chips and plenty of legitimate vendors assemble their own cards selling them under their own brands.
What is not OK is when these cards, like the one from our example above, are marked with a product name from Intel and sold as legitimate parts, that can be harmful. Having personally seen hundreds of these cards, it is easy to spot the fake. The outer box we were shown, along with the card markings makes it clear the manufacturer of these cards is trying to make them look legitimate. That is not OK.
Our advice: check your NICs carefully when purchasing them through a third-party seller, even if they are well-known. While we covered just about the lowest-end part out there, these cards exist across lines and we have seen even XL710 40GbE cards that cost hundreds of dollars follow a similar pattern.
Look for the Yottamark at minimum before you buy an Intel-brand NIC. If the pricing is too good to be true, then it likely is.
This is good info. If you are going to keep a couple of these handy for backup use, I’d also suggest keeping a PCIe x1 video card in the toolbox as well, since sometimes the only open port on a server is a x1 and the other video options are inoperative. I’ve had good luck with the ZOTAC GeForce GT 710 1GB DDR3 PCIEx1 Low Profile Graphic Card (ZT-71304-20L) which “just works” and supports both standard and low profile slots.
I don’t care if it actually works…same thing goes with wireless cards. If it uses the same drivers/firmware and everything else, and WORKS, who cares? Unless you’re super sensitive about supply-chain/vendor security and what not…
Clone LSI controllers are the same deal. Maybe it’s proof of concept possible to embed root kit in the firmware but it’s unlikely. Being able to re-flash with verified firmware makes that risk basically a non-issue.
Super common on Reddit. Really wish Amazon would block all of these Nics and clearly show “direct from Intel”
I read the i350 one. I got a couple of them and they are super stable. Easiest way I reckon is get ex Dell, HP or other known brand adapters out of servers. This seems to work fine. Its how I got my LSI controllers.
I want to comment on “We also see “Intel Gigabit CT PCI-E Network Adapter EXPI9301CTBLK” on the middle label, followed by something strange. In a different font and a different size it says “New.” Intel makes new products so it does not label their products as new.”
I guess your not very familiar with inner workings of Amazon.
That a marketplace item, it’s an item that some seller sent into Amazon warehouse, description comes from the seller, and “new” it’s the condition. As you can also send in used. That label is printed by Amazon warehouse, not by seller or manufacturer of the item.
There’s no way Amazon printed all of those labels.
Another way to spot a counterfeit card is to stick it in a synology NAS which only accepts genuine models (that happened twice to me with amazon). The worst is that I understand amazon doesn’t segregate its own inventory from its market place sellers. So it is a bad idea to buy a product for which there are counterfeits from amazon.
just a pragmatic point of view : if the difference cannot be established programmatically (from within the running system, from the usage and features etc ..) then it does not matter …
if the difference CAN be established, than the article missed the most important detail : how can the counterfeit be established and a return to vendor be motivated. all the visuals, stickers and so on means nothing as they are relative (the counterfeiters can fix them) and subjective (with the exception of the traces, i cannot see any difference between the above examples)
I didn’t say all the labels.
Just the label in the center. That is an Amazon label that they print when a marketplace seller sends an item to Amazon to be stored in their warehouse for “shipped by amazon” service.
Adrian there’s the iPXE example in the article and one linked to cards failing in the forums. I’d say that matters.
What happens when someone puts a NIC of counterfeit origin into a server and that NIC isn’t just a cheap knock-off but its got malicious chips or code? If you’re physically in a PCIe slot, you’ve basically game overed any security you’d hope to have. It’s more dangerous then software malware
Making matters worse with respects to getting a counterfeit product from conflicted Amazon and or from one of their qualified third party sellers, is that non accountable by design Amazon and ultimately the portal liaison for all of the third party sellers that are represented on their company website and for decades, the elemental problem with selling counterfeit merchandise not a new phenomenon in history with amoral China producing ~60% of the counterfeit products produced thus circulating in the world, refuses to configure their return process to accommodate counterfeit product fillings and returns initiated by the customer.
The firm resistance from Amazon, irrespective of stated claims by the disloyal to the USA company, and via inactions by Amazon, in effect “facilitating the distribution of counterfeit products in the USA”, in addition to and predicated from multiple written requests, refusing to produce a customer (menu) initiated process and procedure for handling counterfeit products sold by Amazon. To add insult to injury, their does not seem to be a process to prevent a returned counterfeit product sold by Amazon or third party seller, and needing to be destroyed from being resold to another customer. As for likeminded retailers in the USA, I say heads up.
As for security, the counterfeit product may have a nefarious ASIC that reports to China. I being hacked in a manner I had never seen before or since and what appeared to be at an ASIC level on a Lenovo laptop while sitting in the Executive Lounge at the Shanghai Hilton (Jing An). What as most incredulous about the hacking event is that when I challenged the Chinese about their efforts, did not deny the hacking attempt.
(For context, I’m an electronics designer and manufacturer…)
Some of these visible details, in particular, the PCB silkscreen resolution and other observations – are certainly useful for identifying that EXACT counterfeit model, but I feel as though it’s worth stressing to others looking to avoid counterfeits that even with genuine Intel (or whatever band) parts, these details absolutely fluctuate film batch to batch.
The lack of CE and “made in xx” is a more indicative clue. They would absolutely be required on any electronic product made legit. Look out for those. If they’re not there, it’s suspect. Take their placement with a grain of salt however. Manufacturing revisions, and simply supply chain can all affect board layout, silkscreen resolution/quality, and don’t necessarily reflect the capabilities of the provider (in this case, Intel). Simply moving to a different PCB supplier could call for changes in a layouts placement, colours, quality etc throughout the life of a commercial product.
Thanks for this article btw. Very good to see these things before you buy!
Counterfeits are everywhere, even in high end equipment. I managed to find three HGST SN200 800GB mixed use NVMe SSDs on eBay for about $250 each ($1250ish new). When I contacted HGST for updated firmware for them, they told me 2 of them were OEMed from a Cisco UCS system and one of them had an invalid serial number. The disk itself works fine had only a couple hundred GB written to it, and was 20% the cost of new so I can’t complain, and its for a vSAN homelab anyways. It does make me wonder how much margin there are on high end SSDs.
Aside from being a trademark violation where only Intel has standing against the sellers it’s usually also considered fraud to sell counterfeit products in many jurisdictions.
Both cards have counterfeit CE markings!
1.) Imagine the C and E being part of a perfect circle each. These circles have to overlap without intersecting each other. As you can see, the C and E are too close to each other to be genuine –> fake!
2.) The middle line of the E has to stay shy of the center point of the above mentioned circle. The middle line of the letter E is too long –> fake!
3.) The letters C and E (without middle line) themselve have to extend beyond a half-circle. In the fotos above the C and E are at most half-circles –> fake!
==> Both cards must not be traded within the european union.
To check for yourself Google “CE Marking Guidelines” or visit cemarkings-dot-net –> scroll down –> “The form of the CE mark”.
The running gag at european customs is: CE letters too close => CE = China Export.
Great article! I just ran into it. Fakes are a real problem, especially when security is a real concern. I personally think it is time to start manufacturing nics in the USA again as the cost difference will be something the market will tolerate for the sake of security.
Very interesting! But three years later we are into late 202, what about an article on i210-AT NICs and their fakes, please?