FBI Concerned About Implications of Counterfeit Cisco Gear

SpicyBrownMustard writes "An FBI PowerPoint presentation provides details about a criminal investigation into counterfeit CISCO hardware originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies. The concern of the article's author and the FBI is that the counterfeit equipment may be state-sponsored to aid in accessing otherwise secure systems (slides 46+47). Says the article author: 'The threat is real. Compromised hardware of potentially hostile foreign origin sits within secure networks of the US government, military, and intelligence services. And as you now see, the FBI has been concerned about it.'" We've mentioned the seizure of some of this equipment before, but this presentation adds quite a bit of detail, and highlights the FBI's concern of Chinese government involvement.

The FBI Followed Up With

It's not fair, if people are using the Chineese pre-wiretapped routers, we can't get people to use OUR specially pre-wiretapped routers!

Re:The FBI Followed Up With

Don't Cisco make the routers used in the Great Firewall of China? There's probably just a flag somewhere in IOS saying which government to send the logs to...

Nightmare

This is a complete and utter nightmare, for so many reasons. You start to mistrust the routers in your network, then you should also distrust most of the tools in your arsenal. Can you trust that laptop? What about the chipset in that laptop? Can you trust the copy of GCC you have?

This is going to keep a lot of people awake at night.

Re:Nightmare

This is a complete and utter nightmare, for so many reasons. You start to mistrust the routers in your network, then you should also distrust most of the tools in your arsenal. Can you trust that laptop? What about the chipset in that laptop? Can you trust the copy of GCC you have? This is going to keep a lot of people awake at night.

Indeed. Even if you tried to flash the firmware on your routers to clean them, who is to say the "bad" firmware isn't designed to look like it was flashed, but really do nothing to get rid of any backdoors?

If you can't trust the hardware, you can't trust anything. Scary stuff.

Re:Nightmare

You can only trust software that you have examined the code and compiled yourself, and people you trust who have examined and compiled the code themselves.

I trust neither Cisco nor the FBI.

Re:Nightmare

But can you trust the compiler [cmu.edu]?

Re:Nightmare

I trust neither Cisco nor the FBI.

On an unrelated note, ever since the NSA started giving me free Cisco routers, I can't help but think they're just honest guys trying to help out regular Joes like me.

Re:Nightmare

It's really nothing new, and there is no real solution other than you have to trust someone at some point. For an entertaining paper about this exact problem in the software world, check out "Reflections on Trusting Trust" by Ken Thompson [cmu.edu]

Re:Nightmare

I think you are just getting a dose of turn about is fair play. The CIA and NSA have tampered with electronics being sold to America's adversaries for years. Countries like China and Brazil have zero confidence in Windows because of the possibility of back doors allowing the NSA and CIA access, which is why Linux is so popular in these countries, especially for government use.

I'm not exactly sure why counterfeit Cisco routers are considered more of a security threat than real Cisco routers since Cisco, like a lot of American companies, are outsourcing so much of their hardware manufacture and software development to China. The Chinese government can just as easily put an agent in to any of these companies and slip back doors in to the real products.

All in all this is just the price you pay for exploiting cheap labor in a country that has been a bitter adversary for the last 60 years.

Re:Nightmare

I think you are just getting a dose of turn about is fair play.

I would rather call this unfair play.

The CIA and NSA have tampered with electronics being sold to America's adversaries for years.

I hate USA for forcing the yellow dots [eff.org] "feature" on all colour laserjet printers, making it (almost?) impossible to buy one without, even when I do not live in USA.

I mean, one thing is what a government does to its own citicents; it sort of have authority to do whatever it wants except as limited by international agreements. But one country should not be able to force its own politics upon other countries. Just recently usage of wi-fi has been restricted in Russia [slashdot.org]. What if a country, say Burma, made usage of wi-fi illegal, should then other countries suddenly be forced to make it illegal as well?

As my old HP Laserjet 6L is clearly showing its age on the printouts, I am currently actively searching for a replacement and would like to have a colour laserjet. Does anyone have tips for getting an affordable one, without the yellow dots?

Re:Nightmare

> This is going to keep a lot of people awake at night.

As well it should, because they never should have allowed the production of critical national-security infrastructure components to be outsourced in the first place. Now that they've dug themselves into an impossibly deep hole, they're going to start complaining that the view sucks.

I think the first thing that needs to happen, is that some agency (the NSA seems the most suited) needs to create and bootstrap 'reference platforms' for various architectures. Create a secure compiler chain from the ground up, auditing code the whole way. There's no other way to be sure that you're not just compiling in backdoors, otherwise.

Then with that accomplished -- and it would need to be done for every architecture that needs to be secured -- they'd at least have a secure toolset and compiler chain to vet COTS code with. (It goes without saying that any product that doesn't come with source code, and which can't be compiled on a secure compiler and then have that object code loaded in and run, should be immediately removed from the secure infrastructure. It's beyond broken.)

It would be a major effort, and probably a large shift in scope for the agency put in charge of it, but I think the problem is too important to do anything less. The economic, political, and military security of nations is going to rest firmly on electronic infrastructure, and we need to make the trustworthiness of that infrastructure a national priority.

Re:Nightmare

Yeah, I agree 100% here. It will never happen of course, because real, serious threats like this get brushed under the rug while other, spurious ones get an inordinate amount of attention, almost as if to say, he look! we're doing something.

Time for state-sponsored fablabs

I can think and think over it, there seems to be but one solution:
Now is time for US Department of Sensitive Things to stop buying hardware and start buying blueprints. Buy VHDL and CAD files from CISCO, scrutinize them for threats then produce it yourselves.

China is great for cheap production but there is a reason why military approved stuff are more expensive : among other resons, you can't let anyone build them.
And if you want certified and cheap stuff, it is time to begin building robotic factories.

Re:Time for state-sponsored fablabs

Ah, yes. A robotic factory would be a great solution to this problem indeed.
In order to cut the costs to a bare minimum I recommend we order the robots from China.

Not a good decision

The economic integration between North America and Communist China is putting us in a very dangerous position. The Chinese government has a well-documented history of utter ruthlessness, and will happily steal and duplicate every technological edge it can get. Does anybody believe even for a moment that the same people who have committed and facilitated cold-blooded mass murder on a scale we find difficult to imagine will draw the line at a little industrial espionage?

Corporations that are forcing us into closer and closer economic contact with China are making huge profits, and doing a good job of ensuring that our governments obediently facilitate economic integration. For the rest of us, this means stagnant wages and limited opportunities...all in return for access to cheap headphones, lead-poisoned toys and other gimcrackery.

The Chinese government is not our friend, and the argument that exposing them to the joy of capitalism will make their society free is exactly backwards.

Closed Systems and Black Boxes

Security cannot be achieved with closed source or closed hardware. The problem of security is too difficult, so it is best to create a "culture" of security based around a simple set of rules:

1) All software implemented in Network Systems must be open and source code must be peer reviewed on a regular basis.

2)Hardware should be as generic as possible and should be built upon agreed standards so you can mix and match components.

3) Cultural security is laid at the foundations of software and hardware. Once everyone knows the foundations any single individual or group will find it very hard to con an entire community.

Even if they succeed it will not take long for the culture to detect the deception.

Personally, I am glad the Chinese are screwing Cisco. Remember folks, we are talking about the same company that sold the Chinese government a ton of security products to hunt down and kill/torture or imprison political dissidents.

Last year I got rid of the final pieces of Cisco gear in my network and everything is working just fine with Open Source equivalents.

I peer review my own patch updates, and follow the lists carefully as the comminity as a whole deals with coding the upgrades.

I really do know what my routers are doing.

How many here can say that?

-Hack

They should have known it all along.

They should be afraid of the genuine article too. Only free software can be audited, modified and trusted.

Re:They should have known it all along.

If you're a government customer with national security concerns, you can audit the source to commercial products as well. It's frequently a requirement, and the government is too large a customer. Of course, the code stays closed to the general public.

Re:They should have known it all along.

The thing is, if they are auditing the hardware and software, they can as easily validate the fake Ciscos as the real ones. They're made in the same factory by the same people.

If they cannot validate the fake ones, then they should be just as afraid of the real ones.

Re:Ha Ha!

Nice red herring there. We need to put those who want authority over us under a different, much more strict set of rules. It's our only way of protecting ourselves from the all too frequent abuses.

Lost sales aren't the issue for brands.

> The fact that the financial loss they claim is mostly due to fake Rolexes, Channel stuff and the like doesn't help. I mean, how many people who buy a fake Rolex could afford a real one?

That's not the point. The reason the brand owners get their panties in so much of a bunch over the counterfeits isn't because the plebes buying the fakes could actually afford to buy a real one, if they weren't wearing a fake ... it's exactly the opposite. When the flunky working the counter at Blockbuster is wearing a good-as-real Rolex, suddenly the brand isn't worth quite as much, and if you're some hotshot looking to make a statement about exactly how much disposable income you have, maybe you'll go buy something else -- something more difficult to fake, something with more intrinsic value -- instead. That's the real worry for high-end brands. It's not the lost sales, it's the damage to the brand that inevitably occurs when average folks get their grubby little McDonalds-covered paws on them.

Which really just makes those "counterfeits kill" ads all the more ironic; the people those ads are being marketed to are essentially the high-end marketer's enemy. They're the ones who must be denied access to the high-end brands; who must be made to covet without actually being able to possess.

Re:Lost sales aren't the issue for brands.

Oh I agree. But the political pressure -- and I think money as well -- behind the counterfeit-interdiction efforts (at least in the U.S.) is coming from high-end brands. They're using the drugs as a ruse to get attention, but then insisting that inspectors waste time looking for faux Rolexes and handbags.

Fake drugs, aircraft and machine parts, and to a lesser extent IT infrastructure components, are all serious issues. I didn't mean to understate the seriousness of any of them. But there is a huge difference between a counterfeit drug that's actually poison, and a counterfeit handbag that's made without the permission of the trademark-holder. The first represents a clear and obvious danger; the latter is a vague intellectual-property crime at worst. I'm very concerned that enforcement efforts spurred by the former are actually being used for the latter.

Re:Well that's a change

The counterfeit thing is nonsense. The chinese could just as easily modify a non-counterfeit router as a counterfeit one.

The counterfeit hardware isnt really counterfeit, instances like this are usually just the guy who runs the factory keeping it open an hour later than he is telling Cisco and producing a bunch of extra routers that he can sell on the cheap. The counterfeit item itself is typically exactly the same when we are talking about electronics. Its not like they are using completely different designs and slapping the Cisco brand name on it. (I am sure there are exceptions to this that someone will point out but I am speaking in general terms here, this rule applies for most counterfeit electronics)

Sure, we should be concerned because American companies are having their IP that they put a big investment into stolen, but its no less secure to buy a counterfeit router than a non-counterfeit.

Re:Well that's a change

I think you have not heard of counterfeit brake-pads. Counterfeits are a significant danger when they move beyond the more visible realm of watches and bags. I would not be surprised if at least 50% of all manufactured items are subject to counterfeiting and it goes all the way down to mundane but important things like o-rings, cotter pins, bolts, cables, etc.

The problem remains the same whether it is a simple or sophisticated item: something has been compromised. But what exactly? Finish, fit, function? Do you want to gamble your life on it? Your property? Your data?

I don't care about watches and bag. The rest has me concerned.

Re:Someone had to say it

How are you on the internet then? I'd wager a bet that > 50% of the products you use on a daily basis are at least partly made in China.

But back up a minute, since when was China the sworn enemy of the US? If the US didn't trade with countries it viewed with suspicion, then they'd pretty much only be trading with Canada, and even then it'd be a begrudging trade arrangement.