Some pictures recently surfaced on social media, showing a small PCB tapped into four points on Cisco-branded boards. What is this about? A NSA backdoor so data can be exfiltrated to some third party? Well, that’s theoretically possible, but it’s actually used for bypassing hardware authenticity checks in Cisco hardware being cloned — a sizable industry. Of course, “can’t believe it’s not Cisco” hardware is only valuable insofar that it’s able to run the Cisco software, and that’s where the bodge boards play a major role.
A 2020 report by F-Secure details an investigation, comparing three switches marked as Cisco 2960X – one known genuine and two known counterfeits. The counterfeits had the aforementioned implants either soldered to the bottom of the PCB or added to the board as a separate component, and the paper goes into why they’re important for successful counterfeiting.
Apparently, these chips emulate or bypass an I2C EEPROM containing part of the code executed during the boot sequence, and Cisco depends on this EEPROM’s contents for authenticity verification. Cisco software reads the EEPROM twice — once for verification, and once again for actually running it. The microcontroller included on the mod board can return a genuine binary with a valid signature on the first read, and a binary with hardware checks patched out for subsequent reads.
The paper will tell you about way more than this — it’s thorough yet captivating. As you’d expect, it devotes quite a bit of time to comparing genuine and counterfeit boards, showing that the cloning process is pretty to-the-T, save for some part substitutions. For instance, check out the PDF page 12 to see how via locations are exactly copied between PCBs in a bizarre way, or the Cisco file format and authenticity check analysis closer to the end of the report. All in all, the 38 pages of the document make for a fun foray into what makes Cisco authentication mechanisms tick, and what helps clone hardware makers bypass them.
Are such chips ever used for adding backdoors and data exfiltration? There’s no evidence of that, as much as that’s not to be excluded — bypassing anti-cloning protections would make other hijinks more viable no doubt, that said, only hardware authentication bypass measures were found so far. This mechanism also breaks during software updates, and absolutely, leaves some to be desired when it comes to its stated functionality. That said, such fun insights can help us, say, enforce right-to-repair, enable hardware reuse, and thwart many predatory business practices in areas where laws fail us.
