Recent reports of counterfeit computer hardware from China have once again sparked the discussion on whether we should worry about security risks resulting from using this hardware. Obviously I am referring to counterfeit hardware such as corporate switches and routers from respectable manufacturers such as 3com and Cisco. These are commonly used by network providers, corporations and of course governments. Apparently copies of these products have shown up that are indistinguishable from the real thing, but are not manufactured by the original manufacturer.
So what kind of security risk would be involved here? If the copies are identical down to the individual parts we are looking at a change in firmware at the most. So updating the copy with authentic firmware, which is usually possible with switches and routers, could just make these identical in every way, shape or form. This would also remove any malicious code or other backdoors that are set in the copycat firmware. However, suppose that the copycat hardware is not using 100% identical parts or that the actual integrated circuits (ICs) are labeled as something which they are not? It is entirely feasible to have an IC emulate the functions of another while running a different layer of malicious code. Many of these switches and routers contain field programmable grid arrays (FPGA's) which basically are a collection of basic logical ports and functions, which can be combined in arbitrary fashion to perform a specific function. It is entirely feasible to mimic this function, and all other I/O associated with it, by using a sufficiently powerful microcontroller. So although an IC might be labeled as a common type of FPGA it could actually be something entirely different. In case the counterfeit product is not using 100% identical parts it is entirely possible that it may be performing extra functions not found in the original and who knows to what purpose?
The security risk of using this type of counterfeit hardware is difficult to determine as we have no idea what the manufacturer's agenda is in this case. Are they merely out to make better revenues by selling counterfeit products? Or is the agenda a little more devious, for example could the counterfeit products contain backdoors, i.e., can they be controlled by a third party without knowledge or influence from the system administrator that installs these products in his network? Many switches and routers are connected to the Internet, which makes them reachable by just about anyone in the world. This could mean that with a simple keystroke on a remote computer the switch/router could be disabled, or data could be channeled to an unknown recipient. From a strategic point of view this clearly is a great way to cripple the IT infrastructure of a corporation, organization or government.
Another likely scenario could be the collection of email, user account usernames and passwords or charting who is emailing to whom. All of this would be valuable information in the hands of someone that is in the business of gathering intelligence, whether governmental or corporate. Government secrets could be siphoned away, or corporate insider information may be used for financial gains on the stock market.
So is this threat real? What are the chances of corporations, organizations or the government buying counterfeit hardware? You would think it was pretty slim, as large corporations and governments have a solid and established supply line. Well, not quite, as I have been informed that many organizations gather quotes from regular suppliers that compete on pricing. This could very well mean that these suppliers get their merchandise from questionable sources, ending up with counterfeit hardware without their customers even knowing.