Should We Be Concerned That The Military Will Use Counterfeit Routers Bought Off eBay?

from the it's-not-pretty dept

There was a story last week that got a lot of press about how the FBI discovered that the military was using a ton of counterfeit technology equipment, including thousands of fake Cisco routers. Dan Wallach has an excellent writeup looking at the security implications of what happened. From the description, it certainly doesn’t sound like any of the equipment was found to include any kind of questionable technology for spying, but the point is that it would have been easy enough if someone had wanted to do so. Basically, the background is that while the government only buys equipment from approved vendors, those vendors can subcontract out the actual tech purchases to anyone. That leads to situations where (no joke) one subcontractor purchased a bunch of fake routers off of eBay and then resold them to the government via an authorized vendor. Or, try to follow the details of the case of the US Navy contracting with Lockheed Martin for equipment. Lockheed outsourced the deal to an unauthorized Cisco reseller as a subcontractor. That subcontractor turned to its own subcontractor who (yup, you guessed it) hired another subcontractor who shipped the equipment straight to the Navy. If you lost count, that’s five layers deep, with most of those layers having no real oversight on what they did. You would think the government (and especially the military) would be a bit more careful in where it sourced its products from, but it certainly doesn’t seem as though that’s the case at all. Given all that, it’s almost difficult to believe that compromised equipment hasn’t been sold to the government at some point.

Filed Under: , , , , , ,
Companies: cisco

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Should We Be Concerned That The Military Will Use Counterfeit Routers Bought Off eBay?”

Subscribe: RSS Leave a comment
18 Comments
Anonymous Coward says:

All encryption is decipherable.
All equipment is or can be potentially compromised.
All ur bases r belong 2 us.

Clearly this breakdown of government contractors needs to be investigated and addressed, but one large lesson learned is the value of end-to-end encryption. Cryptography that stays technologically ahead of attempts to thwart it.

I hate to say that “obscurity” is the best solution, but if we continue to shake up our encryption protocols, dilute sensitive information in a flood of nonsensical garbage and challenge authenticity ultimately end to end, the equipment in the middle of a cloud is less of an attractive target.

Hank (user link) says:

worse yet.....

What’s really scary is that most equipment and work on overseas bases is provided by the host country.

When I was stationed in Korea I worked with Top Secret, intelligence gathering, computer systems that were basically the key to any war time decision making.
When we needed new equipment or needed any infrastructure work done we had to use Korean contractors. We did an upgrade of the entire system about halfway through my tour and most of the work was done by Korean contractors. Tell me how much sense that makes. Do you honestly think that they haven’t planted equipment that allows them to see what we are working on?

Our govt acts as though they are concerned with national security yet they give away the keys to kingdom all the time. This stuff going on with fake routers doesn’t surprise me one bit.

TW Burger (profile) says:

Re: worse yet.....

It’s the same in Iraq and Afghanistan. Locals are hired for kitchen, laundry, and janatorial jobs and the MI officers stand around confused as to why motar attacks on the bases tend to be so accurate…

In ‘Ghan they hire a local contractor to wire the metal storage containers that were converted to apartments (don’t ask) and the whole thing is done with one color of wire, cables running through puddles, and no grounding.

I will not let a local anywhere near my communications networks and I buy the equipment myself and inspect each unit personally.

NRK says:

Re: Re: worse yet.....

Your are the exception… most Gov agencies hire it done, and if it works, and sometimes when it doesn’t, writes a check. Then the equipment is out-of-site out-of-mind until there is a problem and then it is too late to go back to the contractor.

We had the same problem in Viet Nahm hiring locals who would pace off the size of the compound and any high-value targets. Next day the mortars would come in with pin-point accuracy.

To have integrity, the military need to do it all, that is why we have cooks, bakeries, laundry units, etc. in the military, and the soldiers have to take their turn at gurad, shit burning, etc.

Some day we will study the lessons learned from pat conflicts and apply them to current one…

nrk

chris (profile) says:

Re: worse yet.....

maybe things have relaxed a bit since i was in the service in the 90’s, but when it comes to classified materials the equipment that is cleared for classified is clearly marked and the equipment that is not cleared for classified material is also clearly marked. there are separate networks (data and voice) for classified material.

information about the systems that handle classifed material (hardware vendors, versions of unix, etc.) is also classified, so if the phony brand name of the equipment was leaked, chances are it was for non-classified (though possibly still sensitive) material.

N1ck0 says:

Registration

Whats also pretty bad is Cisco has a pretty good registration system for their equipment. And like most higher end network equipment, Cisco maintains records of what vendor has sold what S/Ns. Yes in some circumstances registration is a bit cumbersome, but in most cases equipment needs to be registered with the inventory system anyway…its not that much of a stretch for supply officers to query the databases and confirm IDs with OEM on a routine basis.

Davey (profile) says:

Been there. Called the cops.

My IT manager here at *.gov (where we have substantial security concerns) has been sold counterfeit equipment. However, we bought it directly and saw it for what it was. A call to the U.S. Marshall’s office straightened everything right out. IMHO, Federal acquisition regulations are partially responsible for taking the buying decisions out of the hands of people who might know what they’re getting, and putting it in the hands of folks that want low bid. Procurement agents are notorious for using their own (uninformed) judgement when buying technology (e.g. “This item is NOT ‘or equal’ dammit!”)

Technical Purchasing Manager says:

Re: Been there. Called the cops.

Brilliant Davey. Thanks, I needed a good laugh today.

Definition:e.g = for example: as an example; “take ribbon
snakes, for example”

Your e.g. is an opinion, not an example. It contains hostile emphasis and swearing in just seven words. Good thing your opinion is humble. Keep it that way.

Nasch says:

Re: Re: Been there. Called the cops.

I just looked at your name, Technical Purchasing Manager, and now I realize you made that post not just because you’re neurotically pedantic (though you may be), but because you were feeling attacked. In other words, this is probably based on emotion and not reason, so never mind.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...