by Gary Audin

The N.Y. Times headline on May 9, 2008 reads, “FBI Says the Military Had Bogus Computer Gear.” This did not make me feel comfortable. The idea that the equipment, mainly Cisco knockoffs, has been employed in government networks should alarm not only the operations staff but the security people as well.

The Alliance for Gray Market and Counterfeit Abatement and a KPMG white paper believe that 1 in 10 IT products sold are counterfeit. Using this number, there is about $100 billion of counterfeit product out there.
A counterfeit product is the manufacturing and/or selling of unauthorized copies of merchandise. In the case of high technology, these products may include individual components, whole parts, finished product, packaging, documentation and software. The cartons and boxes that finished goods are shipped in can be counterfeit.

That products are initially sold through tightly-held broker networks established by the counterfeiter. Many times the products will then enter the gray market, thereby causing confusion. This leads to a higher risk that the distributor, channel and end users may be subject to purchasing and receiving non-genuine goods.

The N.Y. Times article stated, “Counterfeit products are a routine threat for the electronics industry. However, the more sinister specter of an electronic Trojan horse, lurking in the circuitry of a computer or network router and allowing attackers clandestine access or control, was raised again recently by the Pentagon and FBI. The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States.”

There were a total of 36 search warrants executed from a two-year investigation. The FBI said this resulted in the discovery of 3,500 counterfeit Cisco network components with an estimated retail value of more than $3.5 million.
Cisco has investigated the counterfeit products but could not find any backdoor to breach security. In my opinion this statement should have ended with, “At this time”. Cisco believes the counterfeit products makers were after money, not breaking security. The cost of a real model 1721 router for the government is $1,375. The counterfeit sold for $234. If it’s that cheap then it must be made cheaply.

The idea of breaking security by embedding code on the chips has already been demonstrated by a group of computer scientists at the University of Illinois. They presented a conference paper that detailed how the scientists modified a Sun Microsystems SPARC processor by altering the data on the chip. This chip has nearly 1.8 million circuits and is used in automated manufacturing. How do you detect a small number of added functions in such a chip?
Think of the security vulnerability this way. Would it not then be easy to cause traffic flow problems or even jamming the operation of a network? Could packets be sent to the wrong destination? How about gaining unauthorized access to computers?

The N.Y. Times article also provided a link to the internal FBI Powerpoint presentation, “FBI Fears Chinese Hackers Have Back Door into US Government and Military,” leaked to the website, Above Top Secret. There is a map of all the locations in the U.S. where the FBI discovered the counterfeit IT equipment.

The Cisco equipment included:

• Routers with models in the 1000 and 2000 series.
• Switches with model numbers WS-C2950-24, WS-X4418-GB ( for the CAT4000 series).
• Gigabit Interface Converter (GBIC) model numbers WS-G5483 and WS-G5487.
• WAN Interface Card (WIC) model numbers WIC-1MFT-E1, WIC-2MFT-G703 and WIC-1DSU-T1-V2.

The presentation pointed out that Cisco Gold and Silver partners were the ones that purchased the equipment and then sold it to the government and defense contractors. Unfortunately, Cisco’s brand protection does coordinate with Cisco’ government sales, exacerbating the problem. Cisco sells indirectly through five major distributors, two of which, Comstar and Immix, sell to the government though GSA contracts. The only exceptions for direct sales are for highly-specialized equipment sales such as to intelligence community agencies and large telecom providers. The typical enterprise also buys their Cisco equipment through distributors.

The FBI presentation cited multiple cases of how the products entered the food chain. eBay is one of the common distribution methods. Reputable distributors were also fooled and sold the equipment.