Fake Cisco Catalyst 2960-X Switches
F-Secure had access to a genuine Catalyst 2960-X model along with two counterfeit models. The counterfeits were discovered when they suddenly stopped working with software updates. See if you can guess which one is real and which is fake based on the below three shots.
Fake Cisco Switch Side By Side Internal
Of course, go read the paper (link below) but the one on the left above is the genuine Cisco switch. That requires opening a switch up which few (if any) are going to do. Looking at the exterior of the chassis, there are some subtle differences:
Counterfeit Cisco Catalyst 2960 X Ports
There the markings and LED indicators are off, but only by a small degree. Likewise, below one can see some slight differences as well:
Counterfeit Cisco Catalyst 2960 X Button
The bottom line here is that it would be difficult to tell which switch is genuine and which is not based on the exterior view. Also, these companies are engineering PCB so getting better at exterior color matching and such is a relatively easier problem to solve.
In the paper, the F-Secure team discusses some of the hardware modifications that were made in an attempt to circumvent hardware/ software checks for validity. Here is the most egregiously obvious example:
Counterfeit Cisco Catalyst 2960 X Counterfeit A Bottom Side
That was found on the bottom of the switchboard which is even harder to spot. Realistically, very few take apart a Cisco Catalyst switch to see the bottom of the PCB.
The F-Secure team highlights a few more examples. We wish that they would have had more product photography to see if there were other telltale signs of a counterfeit. The team also goes into detail about how they searched for backdoors in the firmware yet did not find any.
