Counterfeit Cisco Hardware Bypasses Security Checks With Modchips

A modchip described in the article - a small PCB with an epoxy blob on it, soldered to the Cisco switch PCB using four thin wires

Some pictures recently surfaced on social media, showing a small PCB tapped into four points on Cisco-branded boards. What is this about? A NSA backdoor so data can be exfiltrated to some third party? Well, that’s theoretically possible, but it’s actually used for bypassing hardware authenticity checks in Cisco hardware being cloned — a sizable industry. Of course, “can’t believe it’s not Cisco” hardware is only valuable insofar that it’s able to run the Cisco software, and that’s where the bodge boards play a major role.

An unidentified IC on the a different counterfeit Cisco board, with markings soldered offA 2020 report by F-Secure details an investigation, comparing three switches marked as Cisco 2960X – one known genuine and two known counterfeits. The counterfeits had the aforementioned implants either soldered to the bottom of the PCB or added to the board as a separate component, and the paper goes into why they’re important for successful counterfeiting.

Apparently, these chips emulate or bypass an I2C EEPROM containing part of the code executed during the boot sequence, and Cisco depends on this EEPROM’s contents for authenticity verification. Cisco software reads the EEPROM twice — once for verification, and once again for actually running it. The microcontroller included on the mod board can return a genuine binary with a valid signature on the first read, and a binary with hardware checks patched out for subsequent reads.

The paper will tell you about way more than this — it’s thorough yet captivating. As you’d expect, it devotes quite a bit of time to comparing genuine and counterfeit boards, showing that the cloning process is pretty to-the-T, save for some part substitutions. For instance, check out the PDF page 12 to see how via locations are exactly copied between PCBs in a bizarre way, or the Cisco file format and authenticity check analysis closer to the end of the report. All in all, the 38 pages of the document make for a fun foray into what makes Cisco authentication mechanisms tick, and what helps clone hardware makers bypass them.

Are such chips ever used for adding backdoors and data exfiltration? There’s no evidence of that, as much as that’s not to be excluded — bypassing anti-cloning protections would make other hijinks more viable no doubt, that said, only hardware authentication bypass measures were found so far. This mechanism also breaks during software updates, and absolutely, leaves some to be desired when it comes to its stated functionality. That said, such fun insights can help us, say, enforce right-to-repair, enable hardware reuse, and thwart many predatory business practices in areas where laws fail us.

32 thoughts on “Counterfeit Cisco Hardware Bypasses Security Checks With Modchips

  1. Can someone educate me: If the boards are counterfeit then why are the chips mounted afterwards in that sloppy manner? Why aren’t they just built into the layout and thereby harder to detect?

    1. I assume that counterfeiting the board “simply” involves a photocopier style device/process.

      That said, in a very distant time back then, we had an electronics shop in our town, where you could buy an Apple II, that was not the real thing but a 100% illegal clone. As far as I understood the process, a real photocopier was involved.

    2. Cisco’s board layout does not include a location or footprint to place the mod, nor traces/pads to connect to it.
      It’s quite possible the counterfeiters don’t have access to the design files, only the production line output.
      Even if they do have the design files, editing them in this way takes effort. Why spend some effort when you can spend none for the same effect?

    3. Possible that the counterfeit boards were made int he same place as the originals, just a different shift or run. Not as likely, but who knows how good Cisco’s supply chain security is.

      Cloned electronics, with hacky looking back doors in them, screams Chinese surveillance.

  2. most of the chips are off the shelf. the board schematics are easy enough to get or reverse engineer. the magic is in the firmware, and protection mechanisms implemented. these might even be unauthorized boards that were rejected, not programmed, and ordered to be destroyed.

    China companies will try to copy anything and everything.

    1. Reminds me of the Nintendo logo on the original GameBoy that comes from the top of the screen every time you turn it on, the logo comes from the cartridge. The GameBoy would first read the graphic data from the cartridge to verify the data matches, then read it a second time to actually display it on screen. If you’re quick enough, logic in the cartridge can read out the original graphic logo to be verified, then switch over and send a different logo graphic for the GameBoy to actually display. Boom, custom boot logo on the GameBoy (don’t know which if any cartridges employ this technique).

      1. Argonaut (who would later go on to develop the Super FX chip and Star-fox alongside Nintendo) used this trick and produced an unlicensed 3D demo for the GameBoy. They took it to CES and showed the guys from Nintendo. The Nintendo people were amazed at both the 3D and the way the Argonaut guys were breaking their copy protection and wanted Argonaut to work with them (the result of which was the Super FX chip and Star-fox). The Game Boy demo they showed Nintendo turned into the Japan-only game X (without the copy protection defeat of course since it was published by Nintendo)

  3. Back in the 90’s, Chinese factories were rumored to be running three shifts, two for Cisco and one for themselves. Part of the motivation for Cisco to use hardware checks is to prevent this type of theft.

  4. The linked tweet and the F-Secure article aren’t recent. They are from July of 2020. Not to mention, I’m pretty sure I was the first person to shed significant light on this in a Reddit post back in early 2016. I updated it in June of 2020 with a link to the F-Secure post. You can find it here: https://www.reddit.com/r/networking/comments/4iwa5f/possible_counterfeit_cisco_equipment_wphotos/

    Unfortunately, I did not have the tools, skills, or experience to do any testing on the chips I found. I am not surprised that Cisco hasn’t been able to do anything about this. My assumption was that these were factory second boards without the keys necessary to run legitimate Cisco IOS. Not sure we will ever know their true source.

  5. Years ago, I worked at a place that made fiber Ethernet transceivers and Cisco was a customer. (Ren worked there too!) And we would use the serial number on the device to generate an encrypted file that was loaded onto each transceiver that made it into a Cisco branded device. It took the price of the transceiver from $100 to $1000. I have often thought if I had been a less ethical person when they closed that facility and kicked us out, I could have taken a copy of the program that generated the encrypted file and bought generic $100 transceivers off eBay and sold them as Cisco branded transceivers for 10x. I didn’t do it though.

    1. If the official Cisco hardware is 10x more expensive than generic ones and Cisco hardware doesn’t provide any advantage to the buyer that compensates for this higher pricepoint, it is a bad investment. In some cases it can even be seen as money sqandering if the money comes from investors/public funds.

      1. Although I don’t dispute that companies like Cisco are raking in the cash, what you’re buying is support, expertise, and a company that does a lot of R&D to push stuff forward.

        For a router in your house, sure use whatever you want – for a router that holds up network services for a billion-dollar company, you want and need the support.

  6. Reminds me of when the communist Russians made a “copy” of a Boeing bomber that had to land there during the war. Afterwards when the US was finally able examine it, they copied it right down to the Boing insignia on the yolk.

    1. Where I used to work we had in some high-end network carrier-grade gear from a big Chinese supplier and the early versions of firmware still spat out “Copyright Cisco Systems” on the terminal when booting.

    2. I’ve heard a similar story. The counterfeit in this instance also duplicated the navy inspection stamps. I believe it was a Pratt and Whitney engine for an aircraft. Possibly the same aircraft.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.