US-CERT has issued a new thread advisory, on network infrastructure, including some emphasis on hardware/firmware security advice. I’m excerpting their recommendations on on hardware validation:
6. Validate Integrity of Hardware and Software
Products purchased through unauthorized channels are often known as “counterfeit,” “secondary,” or “grey market” devices. There have been numerous reports in the press regarding grey market hardware and software being introduced into the marketplace. Grey market products have not been thoroughly tested to meet quality standards and can introduce risks to the network. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of the network environment. Products purchased from the secondary market run the risk of having the supply chain breached, which can result in the introduction of counterfeit, stolen, or second-hand devices. This could affect network performance and compromise the confidentiality, integrity, or availability of network assets. Furthermore, breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on the equipment. In addition, unauthorized or malicious software can be loaded onto a device after it is in operational use, so integrity checking of software should be done on a regular basis.
* Maintain strict control of the supply chain; purchase only from authorized resellers.
* Require resellers to implement a supply chain integrity check to validate hardware and software authenticity.
* Inspect the device for signs of tampering.
* Validate serial numbers from multiple sources.
* Download software, updates, patches, and upgrades from validated sources.
* Perform hash verification and compare values against the vendor’s database to detect unauthorized modification to the firmware.
* Monitor and log devices, verifying network configurations of devices on a regular schedule.
* Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.