FBI Says Military Had Counterfeit Cisco Routers 186
There are new developments in the case of the counterfeit Cisco routers, which we have been discussing for some time. The NYTimes updates the story after an FBI PowerPoint presentation made its way onto the Web. It seems that experts at Cisco have examined some of the counterfeit routers in detail and proclaimed that they contain no back doors. Others don't believe we can be so sure. "Last month, [DARPA] began distributing chips with hidden Trojan horse circuitry to military contractors who are participating in the agency's Trusted Integrated Circuits program. The goal is to test forensic techniques for finding hidden electronic trap doors, which can be maddeningly elusive... The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor... The researchers were able to create a stealth system that would allow them to automatically log in to a computer and steal passwords."
And outsourcing.... (Score:5, Interesting)
"Counterfeit" not an issue... (Score:5, Interesting)
In this case, if Cisco is comparing the counterfeit routers to their legit ones, they should always be the same.
The question this doesn't answer is this: does the LEGIT Cisco equipment contain back doors? How can Cisco be sure it doesn't? Most of the components are manufactured offshore and the assembly is done offshore. Have they examined each part with an electron microscope to verify it doesn't do anything more than what the spec says it should do?
They can't just watch for network activity; these routers might be filtering and caching data waiting for the eventual physical removal of the router in the next upgrade cycle -- or, they might all have a kill switch built in, so someone can remotely take out ALL routers. There are an infinite number of possibilities to look for, and since Cisco doesn't manufacture everything in-house, they really don't have much hope of detecting that none of the infinite possible modifications have been made.
Question is... (Score:2, Interesting)
That seems like a logical test, so I have to wonder if they have done it already... or not?
If they contain no backdoors, *THAT WE CAN FIND*, do we continue using them?
Re:We've always been at war with Eurasia (Score:3, Interesting)
Re:This is what we get (Score:3, Interesting)
"Partnership" (Score:4, Interesting)
Re:"Counterfeit" not an issue... (Score:5, Interesting)
You reap what you sow (Score:4, Interesting)
Re:And outsourcing.... (Score:5, Interesting)
As the NSA already seems to be certifying comm. gear in the military (or might even make the chips for it). Perhaps even for other departments like the FBI. I see one possibility of this that the NSA certifies routers (or makes them itself) or at least makes them in the USA. I don't work with routers nor am I familiar with their manufacturer. I guess my last point, pertaining at least to the FBI investigation, would be invalid if Cisco makes some routers in the USA except, as you indicate, for some chipsets. Though even on chipset in itself could pose a significant risk.
I'm just surpised that the FBI is even making a "presentation" to anyone on this; regardless of wether the presentation leaked or not.
Re:"Counterfeit" not an issue... (Score:5, Interesting)
If I did purchase a card or Cisco product that did pass the Andover test, then chances are that it was manufactured on the same assembly line, but then you would most likely see a report of a duplicate mac address on a "genuine" Cisco product somewhere. So yes it's a possibility, but highly unlikely IMHO.
Re:And outsourcing.... (Score:5, Interesting)
How many back doors? Who has the keys? (Score:4, Interesting)
The question is not whether Cisco routers have back doors. That has to be assumed. If I was running NSA over the last several decades, I would have my people deep inside every communication equipment manufacturer. The manufacturers management might not even know about it.
The NSA surely has arranged to have one or more back doors designed into virtually every kind of communications switch. The only Cisco employees who would know about them would be the NSA people who work inside Cisco, and some regular Cisco employees who have been cleared. If this has not been done, the NSA senior managers should be fired or jailed.
The real questions are: How many back doors are there? and who has the keys? The (assumed) NSA back door might not be the only one. There is a possibility that the Chinese or Indian chip-fab or software contractors have also installed back doors for their own governments.
With billion-gate machines, a few thousand extra gates would be hard to see. If the extra logic looks like instruction-cache, but just has a little extra code, it would be almost impossible.
Re:Non free software and offshoring are evil. (Score:2, Interesting)
Deja vu - COCOM, Berlin Wall, anyone?! (Score:1, Interesting)
Some analyst say, that the sudden collapse of the USSR, Berlin Wall etc. was attributed to an American secret service mission, in which CIA secretly supplied the Russians with "smuggled" computer equipments, which were on the COCOM technology embargo list. These computers used rigged chips and in the eighties the US government demonstrated that they contorl key installations by sabotaging an oil transport system - and possibly others. The Russians got into a situation, when they had no idea how deeply their military, etc. infrastructure was compromised without any hope to regain control.
Americans forget very fast. How long do they think, other countries would do the same - especially, if production is sent to a country, which has been known for a long time as the biggest emerging future economic power, which also happens to be ruled by totalitarian political ideology? Is anyone surprized here? It took only a few governments in the USA to fall for the same trojan horse that they used themselves. But who cares, the shareholders are happy. For now.
Re:Fear Fear Fear (Score:3, Interesting)
Having said that - I would agree that counterfeit gear is a real issue with real potential impact.
Re:And outsourcing.... (Score:5, Interesting)
Re:free software distributes the effort. (Score:3, Interesting)
The solution is not to verify every chip, because that's probably impossible. Somebody's going to sneak something in somewhere. The solution is to make all data that travels through the chip unintelligible -- e.g. point-to-point encryption for *all* connections.
Once you encrypt all communications, the biggest security concern becomes the endpoints, not the myriad of things in between.