For anyone trying to spot counterfeit products in general, a good place to look is at the FCC logo. On the counterfeit card in the article the FCC logo is wrong. The real logo ends with two concentric circles with a pie-slice out of them forming the "cc" while the counterfeit logo clearly has a different shape.
Though I can't see an FCC logo in the different article's photos. (I also can't see an FCC logo on the different model of supposedly-Intel quad-gigabit PCIe card of mine I just looked at.)
It's a general quick way to check, it'll not always work. A bodged FCC logo means it's almost certainly a counterfeit. A proper or missing FCC logo means near nothing. I just noticed the bodged FCC logo in the original article, that's all.
sometimes you can spot similar shenanigans based on the CE logo but that's more rare.
Thanks. Sometimes, with counterfeits of various kinds of electronics products, I've wondered whether there was ever an intentional telltale indicator. So that country or other entity never accidentally got a counterfeit into a supply chain where they really didn't want it to be. (For example, not into the parts supply chain of a high-profile device manufactured there. Nor to ruin domestic markets for prestige luxury brand products, or other products for domestic consumption for which quality/integrity is considered very important.)
Coincidentally, I just put a used intel gb ct up for sale, along with an unrelated note to the fcc. I’ll double check the nic now to confirm authenticity. My voice is my passport. Verify me.
Maybe it is just me, but I fail to see any evidence that a counterfeit card is necessarily a security risk.
It is IMHO more likely that it has inferior performance or even more probably a shorter lifetime due to inferior quality of components and/or sub-standard manufacturing.
About the:
>When our reader tried using iPXE, a network booting tool, with the NIC, it failed even though genuine cards work without issue.
knowing how picky PXE and iPXE are, I would like to see some details of the tests performed.
Since the actual reproduction of markings was so poor, and given that the actual PCB traces run differently, it is likely a no-brand or "bulk" item marked as Intel, as an example, have a look at this one:
It's pretty easy to salt the firmware with malware if you are the company making counterfeit NICs. This makes them very necessarily a major security risk.
>Maybe it is just me, but I fail to see any evidence that a counterfeit card is necessarily a security risk.
Even if it isn't a security risk from a data theft/malicious code standpoint, it could be substandard in quality and be exponentially more likely to fail.
A failure could just be an annoyance, taking Jim Bob's pornoputer off the home network and causing him to be unable to connect to the YouPorns until his nephew can come fix the boobie-box.
A failure however could take down a mission-critical computer in an emergency response center where even minutes could mean the difference in life or death for someone. Substandard components could also result in a fire, perhaps not in a NIC, but larger capacitors in something larger could overvolt and catch fire.
Worse, I've long had the thought that a hostile government could create ICs that effectively brick themselves when they receive a certain command. With a NIC, in theory, you could have the NIC radio home a small packet occasionally to report the IP. With the list of IPs you could very casually probe which of a handful of pre-determine ports are open, you could get tens of thousands, or even millions, of these chips in the wild looking perfectly normal just waiting for a command. Then say as a foreign government you want to launch an attack on the United States, you filter all the IPs in your database by location, which will remove the bulk of the machines in other countries from the list, and you have a bunch of servers in a bunch of countries get segments of the IP list and they start sending the kill signal at the same time (and if you get really crafty you make the compromised hardware actually start a timer before it bricks, so you can get the instruction out to as many as possible before the bricking causes widespread disruption of the internet). If you've waited long enough you'll have your trojan horse IC in businesses, homes, government offices of varying levels. If you manage to get even 100,000 taken offline, you've probably caused enough disruption to impact the NYSE as well as cause a good deal of disruption and mayhem. You may have even taken mission critical systems offline at power generation and transmission facilities. You've caused some economic damage at a minimum and based on how things go down you may have just made it much easier to launch a physical attack, especially if you have already trickled special forces soldiers into the country on tourists visas or via smuggling routes (United States special forces actually train to go into countries ahead of common forces to cause disruption and/or train local resistance) and can cause further disruption by causing mass panic with shootings/bombings/attacking first responders.
There is more to it than "oh someone can spy on my data now".
>especially if you have already trickled special forces soldiers into the country on tourists visas or via smuggling routes (United States special forces actually train to go into countries ahead of common forces to cause disruption and/or train local resistance) and can cause further disruption by causing mass panic with shootings/bombings/attacking first responders.
Exactly how does this work? Wouldn't this require your troops to somehow blend into the populace and not stick out like a sore thumb? If the US were planning to invade Germany or Britain, this would work fine, but for some other parts of the world (esp. east/SE Asia), US special forces are going to be instantly recognizable as foreigners because they generally don't look anything like the locals.
> but for some other parts of the world (esp. east/SE Asia), US special forces are going to be instantly recognizable as foreigners because they generally don't look anything like the locals.
Not everyone in the United States is a blond haired, blue eyed white person.
Also, simply adopting the local dress is often enough in many countries where immigration has been a thing for decades now. You also can adopt local hair styles, this is why you'll see a lot of the special forces community with long hair and beards in Afghanistan and similar countries.
If you dress the part, walk the part, speak the part (the DLIFLC alone teaches 24 languages) you can blend in to a city pretty easily. Will you stand out like a sore thumb in a remote village, almost certainly, can you stroll through a town of tens of thousands of people with very little attention paid to you, usually.
With previous U.S. actions though it is usually go into a country mostly-overtly and just train local fighters (or fly them to the United States for training) but the Special Forces community has many instances of infiltration in advance of regular military units, as well as ongoing humanitarian efforts (which helps build awareness of local cultures and customs and dialects). Green Beret medics for example have been used in multiple African countries to provide medical aid, just doing general health checkups on villages and the like, a buddy of mine that was an 18D (Army - special forces medical sergeant) mentions it in his book Love Me When I'm Gone (by Robert Patrick Lewis) as well as a lot of training with foreign military in their country, in his case Germans.
---
Say the Asian country of Makebeleivia wanted to get special forces in place into a country that was largely caucasian prior to a proper attack to disrupt. How do they do it? You send some people in as tourists on various commercial flights, you can use multi-national companies you control or have some coercion over to bring workers over on work visas (and might actually do work for weeks or months), you get some in on student visas, you can pay coyotes to sneak some in, you can sneak some in yourself if there is a coast by deploying them via submarine and having them slip into tourist towns as tourists or with fake identification. Then you use any number of means to arm them with conventional firearms and if you want to cause mayhem you have your demolitions experts cook up crude explosives. The purpose here would be to create panic and tie up first responders, this also puts the national government agencies on edge thinking there is some sort of terrorist attack and is more likely to distract than make them think "oh hey a military invasion might be underway". You can either go after relatively 'usless' targets like crowded public places or you can go after more strategic targets like damns, ill-protected power plants, substations, key bridges in and out of large cities or bridges that create strategic issues for moving heavy equipment, etc.
---
A somewhat good example of foreign agents operating on foreign soil, although in a different capacity, is Mossad. They've done a lot of kidnappings on foreign soil to bring war criminals back to stand trial, assassinations abroad, kidnapping defectors to stand trial, etc
One of the more high profile things Mossad has done is going after Black September, for the Munich bombings. The 2005 film Munich is about this.
Also, Sayeret Matkal, which is basically Israeli's Delta Force - they've sabotaged airliners, done kidnappings and raids, assassinations, done physical evidence gathering in Syria.
Sure, could, may, it is possible, it is easy, etc., but nothing that proves specifically that the specific counterfeit NIC is actually a risk.
As the article says, a compromised NIC is a security risk, but no proof of that NIC being compromised (nor that it is actually easier to compromise it).
And I would expect that an hostile government would have their own counterfeit NIC's:
1) better copied/marked/silkscreened
2) gave iPXE working on them exactly like the originals
i.e. not easily recognizable.
Even more specifically, I seemingly quickly found on Alibaba a "legitimate" NIC (in the sense that has no fake Intel marks) that looks very like the given specimen.
So the counterfeiters can buy those and put the fake Intel markings on them, reselling them for double or triple the cost, why would they change anything else?
A PCI express card can use Bus Mastering to gain read/write access to main memory, bypassing the CPU. Counterfeit hardware running arbitrary code that has Direct Memory Access can do anything. Its much worse than running an arbitrary binary on the Operating System. If you accept that running random binaries is a security risk, than running counterfeit hardware that runs arbitrary software is a greater risk!
>If you accept that running random binaries is a security risk, than running counterfeit hardware that runs arbitrary software is a greater risk!
Undoubtedly, what is IMHO missing is any proof that the counterfeit hardware (besides being likely of inferior quality) is actually running arbitrary software.
And thats the challenge, you can't ever really know that the firmware, or even the logic implemented in silicon is identical. You don't need evidence that it is different, it is impossible to know, one must assume it could be, thus a security risk.
Yes, you can, that's what driver signing is for on the OS side. An authentic driver can then tell if it's talking to a counterfeit firmware. In the early days of the Xbox 360, the first hack was to modify the DVD drive firmware so that it would disable the security check that validates authentic Xbox discs and you could play burned games. After a while, Microsoft figured this out and started banning consoles. How did they do this? They simply compared the firmware images and detected a different checksum. There's no real good way to hide this because different code produces different binaries which is what firmware is. If you can flash the drive then you can read its memory and see it's not original.
To give an analogy, if we are both running a calculator app that should be identical, but your call stack looks vastly different after we do identical operations, something is fishy.
I doubt intel is doing that in this case, as we’re talking about a NIC and not a DRM enforcement mechanism.
...but even if they are, checking a firmware checksum only mitigates risk if you otherwise trust the hardware.
Counterfeit silicon could report back whatever your driver wants to hear. And even the presence of a a genuine intel chipset with genuine firmware doesn’t mean there isn’t a malicious component elsewhere on the board.
There’s tons of counterfeit silicon out there.
Most of them are just cheap approximations or copies of premium components with the motive to make a profit on their sale, but there’s not much preventing any of them from intentionally or unintentionally compromising their hardware.
The popularity of programmable silicon and the standardization of silicon package sizes make this super cheap and easy to do as well.
A good risk assessment starts by evaluating possible attack vectors before they’re exploited. If you wait until they’re actively exploited, you might find yourself dealing with an incident response instead.
Another big component of risk is trustworthiness. You might evaluate a vendor’s reputation, test/qa processes, support channels, and the legal environment they operate in. If you don’t even know who the vendor is, that’s a big barrier to establishing much trust.
Not necessarily. Validating the authentication labels on a device might give someone enough confidence they can trust it for their particular threat model. While resellers add a definite uncertainty to the security of the supply chain, I think most people would find them to be more trustworthy than a counterfeiting manufacturer.
Will official Intel drivers work on a counterfeit card? It seems like Intel would bake some authentication into the drivers and authentic hardware such that the drivers would not work if the card is counterfeit.
In this case, are you saying the answer is "Yes, official Intel drivers will work on a counterfeit card," and it is not possible for Intel to include anything in the driver or hardware that can perform authentication? I was asking because I don't know.
They could but its simply too expensive to add something like a secure enclave to a device this cheap. Maybe on your high-end 10-100 GBe adapters that sell for 100s of dollars, it makes sense. I just don't think they are aware of the problem to the degree that they would make such big changes.
25 comments
[ 3.2 ms ] story [ 66.6 ms ] threadThough I can't see an FCC logo in the different article's photos. (I also can't see an FCC logo on the different model of supposedly-Intel quad-gigabit PCIe card of mine I just looked at.)
sometimes you can spot similar shenanigans based on the CE logo but that's more rare.
It is IMHO more likely that it has inferior performance or even more probably a shorter lifetime due to inferior quality of components and/or sub-standard manufacturing.
About the:
>When our reader tried using iPXE, a network booting tool, with the NIC, it failed even though genuine cards work without issue.
knowing how picky PXE and iPXE are, I would like to see some details of the tests performed.
Since the actual reproduction of markings was so poor, and given that the actual PCB traces run differently, it is likely a no-brand or "bulk" item marked as Intel, as an example, have a look at this one:
https://italian.alibaba.com/product-detail/pci-e-pci-express...
It seems a lot like it.
Even if it isn't a security risk from a data theft/malicious code standpoint, it could be substandard in quality and be exponentially more likely to fail.
A failure could just be an annoyance, taking Jim Bob's pornoputer off the home network and causing him to be unable to connect to the YouPorns until his nephew can come fix the boobie-box.
A failure however could take down a mission-critical computer in an emergency response center where even minutes could mean the difference in life or death for someone. Substandard components could also result in a fire, perhaps not in a NIC, but larger capacitors in something larger could overvolt and catch fire.
Worse, I've long had the thought that a hostile government could create ICs that effectively brick themselves when they receive a certain command. With a NIC, in theory, you could have the NIC radio home a small packet occasionally to report the IP. With the list of IPs you could very casually probe which of a handful of pre-determine ports are open, you could get tens of thousands, or even millions, of these chips in the wild looking perfectly normal just waiting for a command. Then say as a foreign government you want to launch an attack on the United States, you filter all the IPs in your database by location, which will remove the bulk of the machines in other countries from the list, and you have a bunch of servers in a bunch of countries get segments of the IP list and they start sending the kill signal at the same time (and if you get really crafty you make the compromised hardware actually start a timer before it bricks, so you can get the instruction out to as many as possible before the bricking causes widespread disruption of the internet). If you've waited long enough you'll have your trojan horse IC in businesses, homes, government offices of varying levels. If you manage to get even 100,000 taken offline, you've probably caused enough disruption to impact the NYSE as well as cause a good deal of disruption and mayhem. You may have even taken mission critical systems offline at power generation and transmission facilities. You've caused some economic damage at a minimum and based on how things go down you may have just made it much easier to launch a physical attack, especially if you have already trickled special forces soldiers into the country on tourists visas or via smuggling routes (United States special forces actually train to go into countries ahead of common forces to cause disruption and/or train local resistance) and can cause further disruption by causing mass panic with shootings/bombings/attacking first responders.
There is more to it than "oh someone can spy on my data now".
Exactly how does this work? Wouldn't this require your troops to somehow blend into the populace and not stick out like a sore thumb? If the US were planning to invade Germany or Britain, this would work fine, but for some other parts of the world (esp. east/SE Asia), US special forces are going to be instantly recognizable as foreigners because they generally don't look anything like the locals.
Not everyone in the United States is a blond haired, blue eyed white person.
Also, simply adopting the local dress is often enough in many countries where immigration has been a thing for decades now. You also can adopt local hair styles, this is why you'll see a lot of the special forces community with long hair and beards in Afghanistan and similar countries.
If you dress the part, walk the part, speak the part (the DLIFLC alone teaches 24 languages) you can blend in to a city pretty easily. Will you stand out like a sore thumb in a remote village, almost certainly, can you stroll through a town of tens of thousands of people with very little attention paid to you, usually.
With previous U.S. actions though it is usually go into a country mostly-overtly and just train local fighters (or fly them to the United States for training) but the Special Forces community has many instances of infiltration in advance of regular military units, as well as ongoing humanitarian efforts (which helps build awareness of local cultures and customs and dialects). Green Beret medics for example have been used in multiple African countries to provide medical aid, just doing general health checkups on villages and the like, a buddy of mine that was an 18D (Army - special forces medical sergeant) mentions it in his book Love Me When I'm Gone (by Robert Patrick Lewis) as well as a lot of training with foreign military in their country, in his case Germans.
---
Say the Asian country of Makebeleivia wanted to get special forces in place into a country that was largely caucasian prior to a proper attack to disrupt. How do they do it? You send some people in as tourists on various commercial flights, you can use multi-national companies you control or have some coercion over to bring workers over on work visas (and might actually do work for weeks or months), you get some in on student visas, you can pay coyotes to sneak some in, you can sneak some in yourself if there is a coast by deploying them via submarine and having them slip into tourist towns as tourists or with fake identification. Then you use any number of means to arm them with conventional firearms and if you want to cause mayhem you have your demolitions experts cook up crude explosives. The purpose here would be to create panic and tie up first responders, this also puts the national government agencies on edge thinking there is some sort of terrorist attack and is more likely to distract than make them think "oh hey a military invasion might be underway". You can either go after relatively 'usless' targets like crowded public places or you can go after more strategic targets like damns, ill-protected power plants, substations, key bridges in and out of large cities or bridges that create strategic issues for moving heavy equipment, etc.
---
A somewhat good example of foreign agents operating on foreign soil, although in a different capacity, is Mossad. They've done a lot of kidnappings on foreign soil to bring war criminals back to stand trial, assassinations abroad, kidnapping defectors to stand trial, etc
Find some examples here https://en.wikipedia.org/wiki/Operations_conducted_by_the_Mo...
One of the more high profile things Mossad has done is going after Black September, for the Munich bombings. The 2005 film Munich is about this.
Also, Sayeret Matkal, which is basically Israeli's Delta Force - they've sabotaged airliners, done kidnappings and raids, assassinations, done physical evidence gathering in Syria.
As the article says, a compromised NIC is a security risk, but no proof of that NIC being compromised (nor that it is actually easier to compromise it).
And I would expect that an hostile government would have their own counterfeit NIC's:
1) better copied/marked/silkscreened
2) gave iPXE working on them exactly like the originals
i.e. not easily recognizable.
Even more specifically, I seemingly quickly found on Alibaba a "legitimate" NIC (in the sense that has no fake Intel marks) that looks very like the given specimen.
So the counterfeiters can buy those and put the fake Intel markings on them, reselling them for double or triple the cost, why would they change anything else?
Undoubtedly, what is IMHO missing is any proof that the counterfeit hardware (besides being likely of inferior quality) is actually running arbitrary software.
To give an analogy, if we are both running a calculator app that should be identical, but your call stack looks vastly different after we do identical operations, something is fishy.
...but even if they are, checking a firmware checksum only mitigates risk if you otherwise trust the hardware.
Counterfeit silicon could report back whatever your driver wants to hear. And even the presence of a a genuine intel chipset with genuine firmware doesn’t mean there isn’t a malicious component elsewhere on the board.
There’s tons of counterfeit silicon out there.
Most of them are just cheap approximations or copies of premium components with the motive to make a profit on their sale, but there’s not much preventing any of them from intentionally or unintentionally compromising their hardware.
The popularity of programmable silicon and the standardization of silicon package sizes make this super cheap and easy to do as well.
Another big component of risk is trustworthiness. You might evaluate a vendor’s reputation, test/qa processes, support channels, and the legal environment they operate in. If you don’t even know who the vendor is, that’s a big barrier to establishing much trust.
Where? Intel sells network chips to OEMs, one of the more shady ones decided to directly clone Intel PCB.