FBI fears hardware backdoors in US military kit
Published: 14 May 2008 14:40 BST
The US Federal Bureau of Investigation has warned of threats to the US military and critical national infrastructure caused by counterfeit Cisco products.
The counterfeit products could open a hardware backdoor into those systems, warned the Federal Bureau of Investigation (FBI), enabling an attacker, potentially undetected by security software, to gain control of the systems. Counterfeit parts also have a much higher failure rate: one is known to have caught fire in a government network, due to a faulty power supply, warned the FBI.
To make matters worse, the FBI has an "intelligence gap": it does not know whether the fake goods are made for private profit or are state-sponsored, nor the scope of counterfeit-equipment use in the US government. The FBI did warn, however, that there is a threat of IT subversion and supply-chain attack which could cause vital systems to fail, allow access to otherwise secure systems and weaken cryptographic safeguards on government data.
An FBI PowerPoint presentation leaked in April to abovetopsecret.com gave details of an FBI investigation into Cisco routers: "Operation Cisco Router". In the presentation, the FBI detailed how counterfeit Cisco goods from China had made their way into the US military supply chain.
Manufactured in the Shenzhen province of China, the fake Cisco equipment was then supplied directly to the US government through several routes: either directly through US distributors or through those who had bought the counterfeit kit off eBay; through distributors in other countries, including the UK; and through US government employees buying through non-General Services Administration (GSA) approved sources. The GSA is the US federal acquisition agency.
One company was indicted in December 2007 for allegedly shipping counterfeit products from China and selling them to the Marine Corps, the Air Force, the Federal Aviation Administration, the FBI itself, defence contractors, universities and financial institutions. The US Navy and Bonneville Power Administration, which serves the US Pacific Northwest with power, were allegedly sold counterfeit products by another company buying directly from China.
According to a whitepaper by the Alliance for Gray Market and Counterfeit Abatement (AGMA) and KPMG, approximately 10 percent of IT products sold are counterfeit. However, the FBI presentation said that law-enforcement agencies estimate the percentage to be higher.
One commentator on the abovetopsecret.com blog asked why the US government had not employed more stringent supply-chain practices.
"It was quite shocking that the US government would allow second- or third-party sub-contractors to place hardware orders," wrote IchiNiSan. "Why doesn't the US government cut a country-wide deal directly with Cisco or other branded US hardware manufacturers? I'm quite sure, with the total volume combined, they would be much better off than going two [or] three layers down the supply chain, not to mention [mitigating] the security risks."
The FBI presentation said part of the problem lies with government procurement practices, revealing that the government normally searches for the lowest prices for products. A counterfeit Cisco 1721 router costs $234 (£120), while the genuine version costs approximately $1,375. Another part of the problem is that...
Previous
Did you find this article useful?
14 out of 14 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
1 comment
