Producing counterfeit products is, and always was, a great business if you don't mind being on the wrong side of things. No need to invest in a costly R&D process, no need to select the best performing and looking materials; the only criterion is the cost of manufacture. This is why we see a lot of counterfeit products on the market, and will likely continue seeing them being made and sold at a fraction of the price of the original. Network hardware designed, manufactured, and sold by Cisco is a very good example. Having an excellent reputation due to great engineering, these products sell at a premium price point. Naturally, this motivates people to attempt producing counterfeits to try and make easy money.
In fall 2019, an IT company found some network switches failing after a software upgrade. The company would find out later that they had inadvertently procured suspected counterfeit Cisco equipment. The hardware failure initiated a wider investigation to which the F-Secure Hardware Security team was called and asked to analyse the suspected counterfeit Cisco Catalyst 2960-X series switches and, primarily, provide evidence as to whether any kind of a "backdoor" functionality existed in those devices.
As it is not trivial to tell genuine and counterfeit devices apart, the verification of non-existence of "backdoor" functionality is also not trivial; requiring a considerable amount of technical investigative work. Ultimately we were able to reach the conclusion, with a reasonable level of confidence, that no backdoors had been introduced. Furthermore, we identified the full exploit chain that allowed one of the forged products to function: a previously undocumented vulnerability in a security component allowing for the devices Secure Boot restrictions to be bypassed.
This paper details the process which led to the conclusion and aims to share the technical knowledge the team gained during this journey.