Beginning May, FBI issued a warning about counterfeited CISCO routers. The US government, university, and companies were purchasing top notch routers from CISCO. In fact, their retailers were sourcing in China with counterfeited material. Thus, more than 3,500 gears were installed in critical places with counterfeited materials.
The problem is that nobody knows if there was no trapdoor installed in these routers. Backdoor in sensitive places would be very strong weapons for any attacker. Currently, we don’t know if is a part of warfare or just a traditional counterfeiting operation.
In order to limit the expenses, more and more governments and even armies use main street devices for their infrastructure. They do not anymore build their equipment. This means that they change their trust model. They are using the same trust assumption as we, common mortals, use: trust your supplier.
Of course in case of counterfeited material, this assumption is extremely weak. The risk is not only the presence of trapdoors, but simply the quality of the device or software itself. On critical equipment, the reliability may be lower than expected.
Nevertheless, is this assumption true for genuine equipment? This reminds me the accusation of NSA trapdoor in Microsoft cryptographic API. Researcher discovered the presence of key called NSA_key! (see cryptome.org). This ended up with some governments requiring to use exclusively Open Source in some parts of their IT infrastructure to avoid potential trapdoors.
To view the presentation of FBI, visit abovetopsecret.com