Refurbished Security Devices: Mistaken Identity or Deception?
Buying refurbished devices is not uncommon. Online marketplaces, such as eBay, offer a platform for customers to purchase second-hand gadgets at a lower price than the original, but at a higher quality than a used device sold by a private individual. And with today’s supply chain issues and semiconductor bottlenecks, sometimes new equipment is not available, so buying refurbished is the only way for enterprises to expand their infrastructure. Naturally, refurbished devices come with risks, and there are cautionary measures one can (and should) take when buying second-hand gadgets. But what about deception? Say a customer didn’t know the gadget they purchased had been refurbished. What if they thought they were buying a brand new device?
See No Evil
The U.S. Department of Justice has recently charged a man for counterfeiting old, low-model Cisco devices and selling them as genuine versions of new, enhanced and more expensive Cisco devices through various online storefronts, 10 of which operated on eBay. Counterfeiters modified Cisco devices by adding unauthorized components, some of which were designed to circumvent security measures that authenticated the hardware. The level of deception went so deep that it was nearly impossible for customers to question the device’s authenticity and integrity. Speaking of customers, it should be mentioned that buyers of the counterfeit Cisco devices were not naïve, negligent individual consumers looking for a bargain; hospitals, schools, government agencies and the military were among some of the victims. Let that serve as a reminder that no matter how cautious and alert one might be, there will always be a weak spot for attackers to exploit; in this case, it was visibility. A lack of complete asset visibility meant modifications went undetected, which would have been a sign that the device was compromised. When enterprises unknowingly buy refurbished products and devices, they lack an accurate understanding of their hardware infrastructure; what they think they’re purchasing is not real, and with no mechanism to suggest otherwise, they remain oblivious.
Avoid Deception: Knowledge is Power
When it comes to cybersecurity, knowledge is power. Asset management, access management, policy enforcement, vulnerability management and more depend on visibility and understanding of the networking environment and what gets connected to it. In other words, visibility is the foundation of cybersecurity. If an enterprise does not know an asset’s true identity and risk posture, managing it (at least properly) is simply unfeasible.
Resellers can deceive customers and portray old devices as new products through modifications to the hardware or firmware. These refurbishments are sometimes invisible and could include vulnerabilities and backdoors that go unmanaged. In the case above, low-quality and unauthorized components added to the devices went undetected. These vulnerabilities eventually caused the products and devices to malfunction, resulting in significant damage to the buyers’ organizations’ networks and operations. Considering the nature of the customers’ activities, any disruption to the status quo could have perilous outcomes. Similarly, backdoors provided bad actors with a pathway into an enterprise’s network, whereby further malicious activity and deception can take place.
No More Hiding
To avoid unknowingly purchasing refurbished devices, enterprises should always try to buy directly from an authorized dealer. However, compromises to these devices are still possible due to complex supply chain risks. To address the challenge of product tampering in a more foolproof manner–whether the device comes directly from the source or a reseller–enterprises need to focus on achieving complete asset visibility. Partial visibility might as well be no visibility: All it takes is one weak spot for a breach or cyberattack to be successful. Avoiding deception and detecting hardware modifications requires visibility at the hardware level, looking at a device’s physical layer data signals to accurately identify it.
No one likes a fake, and all it takes is looking close enough (in this case, the physical layer) to reveal the truth.
