Purchasing refurbished appliances is not uncommon. Online marketplaces, such as eBay, provide a platform for customers to buy used gadgets at a lower price than the original, but at a higher quality than a used device. used sold by an individual. And with today’s supply chain issues and semiconductor bottlenecks, sometimes new equipment isn’t available. Buying refurbished equipment is therefore the only way for companies to expand their infrastructure. Naturally, refurbished devices come with risks, and there are precautionary measures one can (and should) take when buying used gadgets. But what about deception? Suppose a customer did not know that the gadget he purchased had been refurbished. What if they thought they were buying a whole new device?
See no harm
The US Department of Justice recently charged a man with counterfeiting older low-model Cisco devices and selling them as genuine versions of new, upgraded, and more expensive Cisco devices through various online storefronts, including 10 exploited on eBay. Counterfeiters modified Cisco devices by adding unauthorized components, some of which were designed to circumvent security measures that authenticated the hardware. The level of deception was so deep that it was almost impossible for customers to question the authenticity and integrity of the device. Speaking of customers, it’s worth mentioning that the buyers of the counterfeit Cisco devices weren’t naïve, careless individual consumers looking for a bargain; hospitals, schools, government agencies and the military were among the casualties. Let this serve as a reminder that no matter how careful and alert one can be, there will always be a soft spot for attackers to exploit; in this case, it was visibility. A lack of full asset visibility meant that changes went undetected, which would have been a sign that the device was compromised. When companies unknowingly purchase refurbished products and devices, they lack an accurate understanding of their hardware infrastructure; what they think they are buying is not real, and without a mechanism to suggest otherwise, they remain oblivious.
Avoid disappointment: knowledge is power
When it comes to cybersecurity, knowledge is power. Asset management, access management, policy enforcement, vulnerability management and more depend on visibility and understanding of the network environment and what is connected to it. In other words, visibility is the foundation of cybersecurity. If a company does not know the true identity and risk position of an asset, it is simply impossible to manage it (at least properly).
Resellers can mislead customers and present old devices as new products by modifying hardware or firmware. These renovations are sometimes invisible and can include vulnerabilities and backdoors that are not handled. In the above case, poor quality and unauthorized components added to the devices were not detected. These vulnerabilities ultimately caused products and devices to malfunction, resulting in significant damage to the networks and operations of buyers’ organizations. Given the nature of customer business, any disruption to the status quo could have perilous consequences. Similarly, backdoors have provided malicious actors with a pathway into a company’s network, through which further malicious activity and deception can take place.
No more hiding
To avoid unknowingly buying refurbished devices, businesses should always try to buy directly from an authorized dealer. However, compromises on these devices are always possible due to complex supply chain risks. To address the challenge of product tampering more foolproofly, whether the device comes directly from the source or from a reseller, companies must focus on gaining complete asset visibility. Partial visibility could just as well be no visibility: all it takes is a single weak point for a breach or cyberattack to succeed. Avoiding deception and detecting hardware changes requires hardware-level visibility, examining a device’s physical-layer data signals to accurately identify it.
No one likes a fake, and all it takes is a close enough look (in this case, the physical layer) to reveal the truth.