FBI fears hardware backdoors in US military kit

The US Federal Bureau of Investigation has warned of threats to the US military and critical national infrastructure caused by counterfeit Cisco products.

The counterfeit products could open a hardware backdoor into those systems, warned the Federal Bureau of Investigation (FBI), enabling an attacker, potentially undetected by security software, to gain control of the systems. Counterfeit parts also have a much higher failure rate: one is known to have caught fire in a government network, due to a faulty power supply, warned the FBI.

To make matters worse, the FBI has an "intelligence gap": it does not know whether the fake goods are made for private profit or are state-sponsored, nor the scope of counterfeit-equipment use in the US government. The FBI did warn, however, that there is a threat of IT subversion and supply-chain attack which could cause vital systems to fail, allow access to otherwise secure systems and weaken cryptographic safeguards on government data.

An FBI PowerPoint presentation leaked in April to abovetopsecret.com gave details of an FBI investigation into Cisco routers: "Operation Cisco Router". In the presentation, the FBI detailed how counterfeit Cisco goods from China had made their way into the US military supply chain.

Manufactured in the Shenzhen province of China, the fake Cisco equipment was then supplied directly to the US government through several routes: either directly through US distributors or through those who had bought the counterfeit kit off eBay; through distributors in other countries, including the UK; and through US government employees buying through non-General Services Administration (GSA) approved sources. The GSA is the US federal acquisition agency.

One company was indicted in December 2007 for allegedly shipping counterfeit products from China and selling them to the Marine Corps, the Air Force, the Federal Aviation Administration, the FBI itself, defence contractors, universities and financial institutions. The US Navy and Bonneville Power Administration, which serves the US Pacific Northwest with power, were allegedly sold counterfeit products by another company buying directly from China.

According to a whitepaper by the Alliance for Gray Market and Counterfeit Abatement (AGMA) and KPMG, approximately 10 percent of IT products sold are counterfeit. However, the FBI presentation said that law-enforcement agencies estimate the percentage to be higher.

One commentator on the abovetopsecret.com blog asked why the US government had not employed more stringent supply-chain practices.

"It was quite shocking that the US government would allow second- or third-party sub-contractors to place hardware orders," wrote IchiNiSan. "Why doesn't the US government cut a country-wide deal directly with Cisco or other branded US hardware manufacturers? I'm quite sure, with the total volume combined, they would be much better off than going two [or] three layers down the supply chain, not to mention [mitigating] the security risks."

The FBI presentation said part of the problem lies with government procurement practices, revealing that the government normally searches for the lowest prices for products. A counterfeit Cisco 1721 router costs $234 (£120), while the genuine version costs approximately $1,375. Another part of the problem is that...

The GSA and Cisco also came in for criticism, with the FBI saying there was little or no vetting of vendors or partners by the organisations. It was "gold" and "silver" Cisco partners who had been selling the counterfeit products to the government, said the FBI.

Cisco on Tuesday admitted that some of its partners had sold counterfeit goods but said the majority of its certified channel partners had not sold counterfeit Cisco products. The company instead blamed the "grey market" of semi-legal deals for most of the problems.

"It is important to note that the grey market and unauthorised channel partners account for the vast majority of the purchase and sale of counterfeit Cisco products," John Donovan, managing director of channels for Cisco UK, told ZDNet.co.uk in an email statement. "We actively and closely monitor our certified channel partners regarding this issue and will take strong measures against violators, [up] to and including decertification of a channel partner."

While admitting the problem in the US, Cisco, at the time of writing, had not said how widespread the problem of counterfeit goods being supplied to government was in the UK and in Europe. However, the FBI has been co-ordinating investigations into counterfeit Cisco products in the UK and Germany, according to the presentation.

Cisco did, however, comment on "Operation Cisco Router" in the US.

"Cisco has been extremely active throughout this collaborative effort with the FBI and other federal law-enforcement agencies from day one," wrote Donovan. "We appreciate the hard work by the FBI in this case, as well as the efforts by all law-enforcement agencies, in cracking down on the counterfeit market. In this instance, we have participated throughout the investigation in all aspects, including executing search warrants, [and] we have proactively briefed high-level individuals across multiple agencies so that they are aware of this ongoing challenge in the IT industry, as well as Cisco's co-operation in this particular investigation."

One of the criticisms levelled by the FBI was that Cisco's brand-protection team, which monitors counterfeiting, did not co-ordinate with Cisco's government-sales team. Cisco had not commented on this criticism at the time of writing, instead saying: "As part of our commitment to the integrity and quality of Cisco technology and services, our brand-protection team maintains an on-going, pro-active and company-wide effort to minimise potential damage to our brand and to our customers as a result of counterfeiting."

Cisco said that buyers of equipment purporting to come from Cisco who are concerned about counterfeit products should look for signs, such as prices that seem too good to be true; equipment without a valid software licence, where applicable, or which does not enclose a Cisco warranty; increased failure rates; and packaging that is not original or appears to have been used before or tampered with.

"If you think something suspicious is going on, we encourage you to contact your nearest Cisco office," said Donovan.