How to combat counterfeit network gear

In today challenging business and economic environment, everybody's looking for a deal. Yet there is one "bargain" that network managers should avoid at all costs – low-priced network devices that turn out to be counterfeit.

No competent network manager would intentionally purchase a faux network component, but that doesn't mean it never happens. "If signs of counterfeit parts were obvious, this issue would probably be resolved quickly," says John Loucaides, senior vice president of strategy at security technology provider Eclypsium.

Virtually every type of network device is shadowed by one or more unauthorised doppelgängers. Fake drop-in replacements are particularly prevalent.

"This enables a wide variety of cheaper parts to be used in a non-obvious way, maximising the benefit of providing a counterfeit device," Loucaides says. Sometimes, however, only a single component within a device is counterfeited. "Given a financial motive, this is likely the most expensive part being substituted for a cheaper part," he says.

Routers and switches are perhaps the most frequently counterfeited devices. "A network switch can still appear to do its job, even with inferior internal components or systems that bypass a network's security," says Maria Britton, CEO of trade show attendee advisory firm Trade Show Labs.

Network device counterfeits are abundant simply because they promise a huge financial return on a relatively small investment. In July 2022, the U.S. Justice Department issued an indictment charging a Florida resident with importing and selling counterfeit Cisco networking equipment that, if authentic, would be worth more than $1 billion.

According to the indictment, Onur Aksoy, 38, of Miami, allegedly imported tens of thousands counterfeit Cisco networking devices from China and Hong Kong. The units were then resold to customers in the U. S. and elsewhere, falsely represented as new and genuine. The operation allegedly generated over $100 million in revenue over nearly a decade.

Counterfeit gear raises security concerns

The faux device bought on the cheap might function perfectly well and give no indication that it’s not legit – at least at first. "Often, there's no obvious difference between a normal device and a counterfeit device," Loucaides says. But over time, the device can begin to exhibit degraded performance, unreliable operation and anomalous behaviour.

Network downtime caused by a failed device can cripple an enterprise network for hours or days, depending on the unit's location and role. "Besides quality issues creating a poor network experience, the potential to compromise security and create backdoors is simply frightening," says David Lessin, a director with global technology research and advisory firm ISG.

Loucaides adds that the biggest danger posed by fake equipment is that it may host malicious software or firmware, leaving the network open to attackers, spies, and other types of troublemakers. "Whether it's a nation-state, a botnet, or a ransomware actor, the supply chain has become increasingly appealing for attackers to introduce a hook that allows control, persistence, or disruption of critical networks," Loucaides warns.

And, of course, the company has to incur the financial cost of replacing the defective device with genuine equipment.

How to tell if gear is counterfeit

The most obvious sign that a device may be counterfeit is its price. "Too good to be true is just that," says Lessin. He also urges purchasers to keep a sharp eye out for small details that counterfeiters often overlook, such as packaging design and quality, as well as documentation language.

Most of the legitimate networking vendors offer comprehensive tutorial videos showing how to tell if you're using an authentic product, says Keatron Evans, principal security researcher at security education provider Infosec Institute.

"If you can't verify something as authentic, you should count it as potentially counterfeit," he advises. "Trying to do it the other way around, by looking for signs of counterfeiting, is not as effective because of how rapidly things change."

Unfortunately, for many victims, a bogus component will reveal its true fake identity only after it has been deployed. "Counterfeits are most commonly identified when the device fails," says Mike Mellor, vice president of cybersecurity consulting at managed security services provider Nuspire.

How to avoid buying fakes

The best way to keep fake equipment off the network is to buy directly from the original equipment manufacturer, a certified partner, or a value-added reseller. "Arguably, a significant portion of the 'value add' from a reseller is the assurance of authenticity," Lessin says.

When acquiring hardware from any source, pay careful attention to the item's serial number and, if possible, check it against the manufacturer's database, Britton says. "It can also be helpful to actually look inside network gear to identify any parts that don't look like those in a known authentic unit."

Most vendors apply one or more genuine product-type labels or branding marks to their devices. Look for such tags on packaging, external cases, and internal components, such as circuit boards, Evans says.

Resist the temptation to buy equipment from eBay or other discount online resellers, Mellor says. "Make sure that devices are purchased from an authorised reseller," he recommends. Purchasing from bottom-dwelling resellers is akin to gambling. "The price may be attractive but may cost more in the long-run when the device fails and needs to be replaced."

Loucaides says that his organisation, for internal research purposes, acquired network devices from a random selection of eBay marketers and several other online shopping sites. The results were far from encouraging. 

"Through these acquisitions, we have observed unauthorised transfers of equipment from large corporations, devices that were not as advertised, and devices that contained unexpected components," he says.

Unfortunately, even the most careful shopper can get stuck with a bogus network device. Counterfeits can even be surreptitiously inserted into a manufacturer's supply chain. 

Besides checking the unit's serial number validity, Mellor also suggests updating the device's firmware and software to the most current manufacturer-recommended versions. "Counterfeits often fail when updated," he explains.

Common sense usually wins the day when shopping for network gear. "Make sure you only purchase from trusted third-party vendors or directly from the equipment vendors themselves," Evans recommends.

Steps to take if businesses discover fake parts

Given the dangers involved, it’s never a good idea to continue using a counterfeit network device after it's been discovered -- even if it appears to be functioning normally. Once a fraudulent network device has been detected, it should be immediately isolated and replaced, Loucaides says. "Depending on the context, it may also be necessary for some backup/failover process to be invoked." he says.

Evans recommends activating a three-step action plan. "First, contact your own legal team or representative," he says. "Next, under their direction, and with their guidance, contact law enforcement."

Finally, contact the vendor who supplied the counterfeit equipment. "You will also likely need to work closely with your operations team to coordinate removing the device, or devices, without causing critical service and operations disruptions," Evans adds.

Loucaides also advises alerting the hardware manufacturer to the counterfeit gear. "Provide the details of the vendor you purchased it from and anything else they might need," he suggests.

How to implement anti-counterfeit processes

Networks, by their very nature, are dynamic. An enterprise network is always growing and evolving. Toss in the threat posed by counterfeit equipment and it's easy to see why network leaders need to perform regular hardware and software audits in order to monitor changes and ensure the system’s reliability and security.

It’s simply a good idea, Lessin says. "Even if you followed a safe path, an audit can confirm that nothing counterfeit has been introduced," he says. Relentless network expansion and sprawl makes regular audits even more necessary. "Many network managers are thousands of miles from the assets they are responsible for," Lessin adds.

Strong asset management and supply change risk management practices are also necessary to ensure the acquisition of authentic network devices, Mellor says. These elements are critical components within a strong security program and always a good idea. Maintaining service contracts is also a smart move, Mellor adds. "Manufacturers will not provide a service agreement if they determine the device is counterfeit."

Like a growing number of industry observers, Loucaides believes that counterfeiting isn't limited to only network hardware. "It affects every component inside every device," he states. "It even affects the software, leading to all the interest in the Software Bill of Materials (SBOM)."

Akin to the packaging found on food products that describes ingredients and nutritional data, SBOM is a nested description of software components and metadata that can be used to verify that the software is not counterfeit.

Visibility into all of the hardware and software components that make up a networking device should be the first step toward addressing the challenge of counterfeit gear. Loucaides adds, “We need tools today that work on existing software, firmware, and hardware to detect backdoors and tampering, including counterfeits."