FBI Concerned About Implications of Counterfeit Cisco Gear

SpicyBrownMustard writes "An FBI PowerPoint presentation provides details about a criminal investigation into counterfeit CISCO hardware originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies. The concern of the article's author and the FBI is that the counterfeit equipment may be state-sponsored to aid in accessing otherwise secure systems (slides 46+47). Says the article author: 'The threat is real. Compromised hardware of potentially hostile foreign origin sits within secure networks of the US government, military, and intelligence services. And as you now see, the FBI has been concerned about it.'" We've mentioned the seizure of some of this equipment before, but this presentation adds quite a bit of detail, and highlights the FBI's concern of Chinese government involvement.

They should have known it all along.

[gnutoo]

They should be afraid of the genuine article too. Only free software can be audited, modified and trusted.

Re:They should have known it all along.

[evanbd]

If you're a government customer with national security concerns, you can audit the source to commercial products as well. It's frequently a requirement, and the government is too large a customer. Of course, the code stays closed to the general public.

Re:They should have known it all along.

[sjames]

The thing is, if they are auditing the hardware and software, they can as easily validate the fake Ciscos as the real ones. They're made in the same factory by the same people.

If they cannot validate the fake ones, then they should be just as afraid of the real ones.

Lost sales aren't the issue for brands.

[Kadin2048]

> The fact that the financial loss they claim is mostly due to fake Rolexes, Channel stuff and the like doesn't help. I mean, how many people who buy a fake Rolex could afford a real one?

That's not the point. The reason the brand owners get their panties in so much of a bunch over the counterfeits isn't because the plebes buying the fakes could actually afford to buy a real one, if they weren't wearing a fake ... it's exactly the opposite. When the flunky working the counter at Blockbuster is wearing a good-as-real Rolex, suddenly the brand isn't worth quite as much, and if you're some hotshot looking to make a statement about exactly how much disposable income you have, maybe you'll go buy something else -- something more difficult to fake, something with more intrinsic value -- instead. That's the real worry for high-end brands. It's not the lost sales, it's the damage to the brand that inevitably occurs when average folks get their grubby little McDonalds-covered paws on them.

Which really just makes those "counterfeits kill" ads all the more ironic; the people those ads are being marketed to are essentially the high-end marketer's enemy. They're the ones who must be denied access to the high-end brands; who must be made to covet without actually being able to possess.

Re:Nightmare

[demachina]

I think you are just getting a dose of turn about is fair play. The CIA and NSA have tampered with electronics being sold to America's adversaries for years. Countries like China and Brazil have zero confidence in Windows because of the possibility of back doors allowing the NSA and CIA access, which is why Linux is so popular in these countries, especially for government use.

I'm not exactly sure why counterfeit Cisco routers are considered more of a security threat than real Cisco routers since Cisco, like a lot of American companies, are outsourcing so much of their hardware manufacture and software development to China. The Chinese government can just as easily put an agent in to any of these companies and slip back doors in to the real products.

All in all this is just the price you pay for exploiting cheap labor in a country that has been a bitter adversary for the last 60 years.

Re:Nightmare

[Kadin2048]

> This is going to keep a lot of people awake at night.

As well it should, because they never should have allowed the production of critical national-security infrastructure components to be outsourced in the first place. Now that they've dug themselves into an impossibly deep hole, they're going to start complaining that the view sucks.

I think the first thing that needs to happen, is that some agency (the NSA seems the most suited) needs to create and bootstrap 'reference platforms' for various architectures. Create a secure compiler chain from the ground up, auditing code the whole way. There's no other way to be sure that you're not just compiling in backdoors, otherwise.

Then with that accomplished -- and it would need to be done for every architecture that needs to be secured -- they'd at least have a secure toolset and compiler chain to vet COTS code with. (It goes without saying that any product that doesn't come with source code, and which can't be compiled on a secure compiler and then have that object code loaded in and run, should be immediately removed from the secure infrastructure. It's beyond broken.)

It would be a major effort, and probably a large shift in scope for the agency put in charge of it, but I think the problem is too important to do anything less. The economic, political, and military security of nations is going to rest firmly on electronic infrastructure, and we need to make the trustworthiness of that infrastructure a national priority.

Re:The FBI Followed Up With

[TheRaven64]

Don't Cisco make the routers used in the Great Firewall of China? There's probably just a flag somewhere in IOS saying which government to send the logs to...

Re:Well that's a change

[jorghis]

The counterfeit thing is nonsense. The chinese could just as easily modify a non-counterfeit router as a counterfeit one.

The counterfeit hardware isnt really counterfeit, instances like this are usually just the guy who runs the factory keeping it open an hour later than he is telling Cisco and producing a bunch of extra routers that he can sell on the cheap. The counterfeit item itself is typically exactly the same when we are talking about electronics. Its not like they are using completely different designs and slapping the Cisco brand name on it. (I am sure there are exceptions to this that someone will point out but I am speaking in general terms here, this rule applies for most counterfeit electronics)

Sure, we should be concerned because American companies are having their IP that they put a big investment into stolen, but its no less secure to buy a counterfeit router than a non-counterfeit.