FBI Concerned About Implications of Counterfeit Cisco Gear

SpicyBrownMustard writes "An FBI PowerPoint presentation provides details about a criminal investigation into counterfeit CISCO hardware originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies. The concern of the article's author and the FBI is that the counterfeit equipment may be state-sponsored to aid in accessing otherwise secure systems (slides 46+47). Says the article author: 'The threat is real. Compromised hardware of potentially hostile foreign origin sits within secure networks of the US government, military, and intelligence services. And as you now see, the FBI has been concerned about it.'" We've mentioned the seizure of some of this equipment before, but this presentation adds quite a bit of detail, and highlights the FBI's concern of Chinese government involvement.

FUD

[conan1989]

presume FUD until given proof. and check the source of any "proof" too, never trust those who stand to gain

Re:Lost sales aren't the issue for brands.

[Anonymous Coward]

There was an interesting article in Science News a couple of weeks ago about fake drugs from China - apparently up to 40% of the malaria and other drugs sold in Asia are fakes. The article talked about how they traced some to a factory in China that they shut down. But "fakes kill" could be a real message here if these drugs either do nothing or are just contaminated.

Re:Nightmare

[Kadin2048]

> This is going to keep a lot of people awake at night.

As well it should, because they never should have allowed the production of critical national-security infrastructure components to be outsourced in the first place. Now that they've dug themselves into an impossibly deep hole, they're going to start complaining that the view sucks.

I think the first thing that needs to happen, is that some agency (the NSA seems the most suited) needs to create and bootstrap 'reference platforms' for various architectures. Create a secure compiler chain from the ground up, auditing code the whole way. There's no other way to be sure that you're not just compiling in backdoors, otherwise.

Then with that accomplished -- and it would need to be done for every architecture that needs to be secured -- they'd at least have a secure toolset and compiler chain to vet COTS code with. (It goes without saying that any product that doesn't come with source code, and which can't be compiled on a secure compiler and then have that object code loaded in and run, should be immediately removed from the secure infrastructure. It's beyond broken.)

It would be a major effort, and probably a large shift in scope for the agency put in charge of it, but I think the problem is too important to do anything less. The economic, political, and military security of nations is going to rest firmly on electronic infrastructure, and we need to make the trustworthiness of that infrastructure a national priority.

Don't forget Huawei

[HockeyPuck]

http://www.theregister.co.uk/2004/07/29/cisco_huawei_case_ends/ [theregister.co.uk]

While Cisco dropped this lawsuit claiming "a victory for the protection of intellectual property rights."

This was after Huawai photocopied IOS Configuration guides and "portions of its IOS source code found its way into Huawei's operating system for its Quidway routers and switches. Cisco claimed the Huawei OS included text strings, files names and bugs that were identical with Cisco's IOS source code. The suit alleges that Huawei is infringing at least five Cisco patents."

*RING BELL* Round 2

It gets worse

[WindBourne]

China in return agreed to allow their money to float free, but created "the basket" that they then control to an unknown formula. Considering that yuan has gone up a whopping 17% against the dollar over 5 years, while most other moneies have gone up more than 100%, it says a lot. In addition, they were required to drop their tariffs over 2 years ago (they asked for 5-7 years). We are now pushing 8 and they are asking for another 3-5 years of them.

The good news is that EU has seen what has happened to us and is pushing several issues; 1) the chinese firewall and the tariffs 2) the money issue 3) the carbon issue. As such, they are about to slap a major carbon tax on everything based on their Point of origin as well as a tariff against chinese good because of the firewall and tariffs.

Re:Well that's a change

[rbanzai]

I think you have not heard of counterfeit brake-pads. Counterfeits are a significant danger when they move beyond the more visible realm of watches and bags. I would not be surprised if at least 50% of all manufactured items are subject to counterfeiting and it goes all the way down to mundane but important things like o-rings, cotter pins, bolts, cables, etc.

The problem remains the same whether it is a simple or sophisticated item: something has been compromised. But what exactly? Finish, fit, function? Do you want to gamble your life on it? Your property? Your data?

I don't care about watches and bag. The rest has me concerned.

Re:Nightmare

[evanbd]

How much more tax money are you willing to spend? 10x? 100x? What about for the stuff that's important, but not national security important? Are you willing to live with the fact that the results will cost 100x as much and be 1/10th the speed? The government has been there and done that, at least for some sorts of components, and decided it couldn't afford to. Now, they might be wrong, but they might not be. It might be cheaper and easier to attempt to make the commercial gear secure, realize that won't completely work, and deal with the occasional problem -- even at a national security level. After all, there are national security implications to being unable to afford as much equipment as you can make use of... and it's entirely possible it's better to have the occasional huge security problem than to have nothing worth securing.

The right solution is defense in depth, multiple vendors, and a whole host of other, more mundane techniques. As long as one security hole, even widespread, can cause only limited damage, it's possible to contemplate dealing with it when it appears.

Re:Nightmare

[wprowe]

Are we sure this isn't already being done in some way? Perhaps not in the exact manner you describe. Why assume they are not already working with these hardware and software manufacturers?

DOD has PP on this too.

[Anonymous Coward]

I have seen come across my email at work with similar warnings. I know that the military has identified how to distinguish the difference in the counterfeits and has taken steps to keep them from being added to the networks, it is worrisome however because they are trying to get them into DOD networks.

Re:Lost sales aren't the issue for brands.

[Kadin2048]

Oh I agree. But the political pressure -- and I think money as well -- behind the counterfeit-interdiction efforts (at least in the U.S.) is coming from high-end brands. They're using the drugs as a ruse to get attention, but then insisting that inspectors waste time looking for faux Rolexes and handbags.

Fake drugs, aircraft and machine parts, and to a lesser extent IT infrastructure components, are all serious issues. I didn't mean to understate the seriousness of any of them. But there is a huge difference between a counterfeit drug that's actually poison, and a counterfeit handbag that's made without the permission of the trademark-holder. The first represents a clear and obvious danger; the latter is a vague intellectual-property crime at worst. I'm very concerned that enforcement efforts spurred by the former are actually being used for the latter.

Re:Someone had to say it

[MrNaz]

How are you on the internet then? I'd wager a bet that > 50% of the products you use on a daily basis are at least partly made in China.

But back up a minute, since when was China the sworn enemy of the US? If the US didn't trade with countries it viewed with suspicion, then they'd pretty much only be trading with Canada, and even then it'd be a begrudging trade arrangement.

Re:Not a good decision

[tinkerghost]

The Chinese government has a well-documented history of utter ruthlessness, and will happily steal and duplicate every technological edge it can get.

When I was working w/ a company that made security Holograms for UL, one of our R&D people went to Bejing, where they happily showed him the R&D Hologram lab, where they were trying to duplicate our security Hologram. They also were more than happy to show him samples of a dozen or so other holograms they had already cloned.

From his description, they were rather proud to be making such good forgeries.

Quality Assurance for Authenticity

[c0d3r]

One round through Cisco's Quality Machine should be more than sufficient to test the authenticity of counterfeit products, probably even from anywhere on the internet. I worked on some of there test automation systems and they chart how much is automated, the results and even where the problems occured and by whom.

It's even worse than that....

[Anonymous Coward]

Govt security managers and auditors are being ordered by their PHB bosses to give out passing grades on systems than cannot pass muster. And this is under duress of losing their jobs if they don't do as ordered, but they're still held responsible for any security breaches. In essence, the security managers are being forced to bear full responsibility while at the same time being stripped of the proper authority needed to conduct their jobs.

Re:Nightmare

[ZorroXXX]

I think you are just getting a dose of turn about is fair play.

I would rather call this unfair play.

The CIA and NSA have tampered with electronics being sold to America's adversaries for years.

I hate USA for forcing the yellow dots [eff.org] "feature" on all colour laserjet printers, making it (almost?) impossible to buy one without, even when I do not live in USA.

I mean, one thing is what a government does to its own citicents; it sort of have authority to do whatever it wants except as limited by international agreements. But one country should not be able to force its own politics upon other countries. Just recently usage of wi-fi has been restricted in Russia [slashdot.org]. What if a country, say Burma, made usage of wi-fi illegal, should then other countries suddenly be forced to make it illegal as well?

As my old HP Laserjet 6L is clearly showing its age on the printouts, I am currently actively searching for a replacement and would like to have a colour laserjet. Does anyone have tips for getting an affordable one, without the yellow dots?

Re:They should have known it all along.

[sjames]

The trouble is they can't validate EVERY unit they buy. They test out one model number and firmware revision and then expect every unit like that to be identical. With Fakes the assumption is no longer valid.

The only difference between the fakes and the real thing is a contractural arrangement. They can't trust the real Cisco products made at the same factory by the same people any more than they trust the fakes.

Sounds like they should demand infrastructure componants made in the U.S.

Re:Well that's a change

[sleigher]

Awesome, way to take what I said and change the meaning. I never said I hated foreigners. I was pointing out that Americans have lost 1 million jobs in the last year alone. I have no problem with foreigners but is it not my duty as a citizen of a nation to want my fellow citizens and my country to prosper? You should be working for one of these presidential campaigns. You seem good at taking a statement someone says and making it mean something entirely different.

Re:Lost sales aren't the issue for brands.

[Cramer]

Then they aren't very good experts. Spotting chinese fakes isn't impossibe. None that I've ever seen are 100% exact knock offs of genuine cisco hardware. There's always something out of place... unlabeled blackmarket chips -- every chip used by genuine cisco hardware has part and serial numbers on them, serial number labels in odd locations, odd looking serial numbers, unregistered serial numbers (yes, cisco has a database of every device they've ever made -- I've looked up AS-51's), no holofoil, etc., etc. Granted, it's rare for them to be so bad at making fakes that you can take one look at it and immediately know it's a fake. (if it's that obvious, they fix it in the next batch.)

Re:Nightmare

[Lord Ender]

they never should have allowed the production of critical national-security infrastructure components to be outsourced

If we built these things in America, we would have to raise taxes to pay for them, producing jobs, improving national security, and lowering the trade deficit along the way.

How any jesus-loving American think raising taxes is ever a good idea? What are you, one of them durn libruls?

Why do you like assembling jobs better?

[Anonymous Coward]

In a sense, what we have exported over to China the assembling jobs. "Made in China" should be more appropriately call "Assembled in China." Yeah... your iPod and Cisco routers are assembled in China; but all key components -- the VLSI chips -- are made in the U.S. What the Chinese workers do are just to put them together.

I don't know about you but I think these lines of work are just as low as the McDonald's jobs, and not glorifi-able at all. And it is just not much different than having automated robots do that. At the dawn of industry age, there were attcks against machines by workers. You don't mind the machines just because you are an engineer who (indirectly) sell the machines, rather than the one being replaced by the machines.

In fact, due to the low level (but not absence) of IP protections in China, businesses -- foreign or domestic -- are the ones who become very careful in revealing IPs over there.

I think you, as an engineer, should really start worrying when their IP protections become strong, because that's the time more real IP works will be done in China. So be careful what you wish for.