Know Your Source

Hardware can be obtained from a variety of sources: the manufacturer, authorized sellers, distributors, retailers, unauthorized resellers, and the grey market.

A manufacturer is the original producer of goods, responsible for the design, creation, and quality control of a product. Manufacturers may sell directly to consumers through their own stores or websites, or they may supply goods to intermediaries liked distributors or retailers. Since there are no middlemen, manufacturers often offer the most competitive pricing and maintain full control over their branding and customer experience.

An authorized seller or authorized reseller is a third-party entity that has received explicit permission from a manufacturer to sell its products. These sellers are typically certified or trained by the brand and often appear on the manufacturer’s official list of partners. Customers benefit from purchasing through authorized sellers because they are more likely to receive legitimate products, full warranties, and brand-backed customer service.

A distributor acts as an intermediary between manufacturers and sellers such as retailers or resellers. Distributors purchase goods in large quantities from manufacturers and manage the logistics of warehousing, transportation, and sometimes regional marketing. They rarely sell directly to consumers but may sell hardware in large quantities to integrators and OEMs.

A retailer is the end-point seller who offers products directly to the final consumer. Retailers can operate through physical storefronts, online platforms, or a combination of both (known as omnichannel retail). They often determine their own pricing structures and may be either authorized or unauthorized to sell certain brands depending on their relationship with manufacturers or distributors.

What are Authorized Sellers

Authorized seller are often hailed as a trustworthy source, because they have a stamp of approval by the manufacturer through the authorized seller program.

Authorized seller programs are initiatives established by manufacturers to control the distribution of their products, protect brand integrity, and ensure a consistent customer experience. These programs typically involve formal agreements that grant specific third-party retailers or resellers permission to sell a brand’s products, often in exchange for meeting certain requirements related to pricing, marketing, customer service, and adherence to brand guidelines. Authorized sellers may receive benefits such as access to official inventory, training, promotional materials, and eligibility for manufacturer-backed warranties and support services.

Authorized Sellers Are Plenty

Authorized Sellers do not seem to be a rare resource. Here are some statistics that show the complexity and scale of these programs:

• CISCO lists 14,412 certified partners in the G7 countries (Canada, France, Germany, Italy, Japan, UK, and US) alone.
• Dell offers products through 2,969 partners, 360 distributors, 27 federal partners, 0 systems integrators (although they maintain this partner category), and 107 OEM partners.
• Logitech lists 448 resellers and 206 distributors.
• TP-Link sells through 24 online stores, 18 distribution partners, 20 retailers, 14 reseller partners, and 15 solution partners.
• Sandisk:
  
  • Canada: 24 online, 3 distributors retail, 13 distributors commercial, 1 representative
  • USA: 2 var resellers, 270 online, 11 distributors retail, 4 distributors commercial, 9 affiliates, 10 representatives, 2 resellers
  • Germany: 5 online stores, 3 distributors retail
  • UK: 2 var resellers, 22 online stores, 1 distributor retail
  • France: 14 var resellers, 13 online stores, 11 distributors retail, 2 distributors commercial, 1 reseller  
  • Italy: 12 online stores, 4 distributors retail
  • Japan: 6 online stores, 2 distributors retail

It is difficult to believe that these companies can practically enforce consistency and quality across that many partners, and many partners are specific to certain countries or categories. For example, CISCO offers three different authorization levels (“Select”, “Premier”, and “Gold”) for each of four different categories (“Integrator”, “Provider”, ”Developer”, and “Advisor”). For selling, it also seems to have different tiers of sellers as indicated in their application guide.

Becoming a Reseller is an Easy Questionnaire

CISCO provides detailed information on how to become a reseller:

1. Register on their website
2. Fill in a questionnaire of approximately 10 questions shown in the guide
3. Wait for an email that you are either approved or denied

‍

The program does not specify what exactly Cisco will verify or assess before granting partner approval. In fact, online forums contain more posts from frustrated authorized resellers criticizing Cisco's mishandling of the process than from those questioning rejections based on valid grounds. Of course, it’s also possible that less scrupulous sellers simply choose not to voice their complaints publicly.

Are Authorized Sellers Automatically Low Risk?

All this information begs the question: Does buying from an authorized seller automatically imply a very low risk of getting duped? In other words, is it safe to buy from Authorized Sellers and not perform detailed inspections?

The number of authorized sellers and the variety of the programs for some of the examples given above does not provide confidence. Can Cisco really perform an in-depth check of nearly 14,000 partners in the G7 countries alone? How does Sandisk enforce similar standards for the different types of authorized sellers across all these different countries? For example, in the EU a German buyer can approach a French reseller without worrying about trade restrictions.

A Black Sheep as A Datapoint

Palitronica has been analyzing 2FA USB keys for a customer to detect manufacturing variability, implants, and unauthorized changes. Manufacturing variability refers to the natural differences that can occur during the production process of electronic components or devices, even within the same batch or from the same manufacturer. These variations may include differences in electrical characteristics, timing behavior, or physical layout, and serve to scorecard the quality of the OEM’s manufacturing process. Implants are covert modifications—often malicious—introduced into a device’s hardware during or after manufacturing, which may compromise security by leaking data, enabling unauthorized access, or altering the device’s functionality.

The goal of this analysis is to provide the customer with detailed information of the manufacturing capability, the manufacturing variability, and device integrity for 2FA USB key solutions.

Methodology

• We purchased a specified number of products from authorized sellers or manufacturers in a single batch order.
• We analyzed them with Anvil using the odd-sample-out method to identify outliers in the batch.
• We disassembled every 2FA USB key to provide additional confirmation for our results.

And look what we found!

We’ve redacted the identifying details—but you can still play “spot the difference.” The variation in physical shape is immediately noticeable. In reality, the manufacturer shipped a mix of very old(revision 1.0) and newer (revision 3.2) systems. From a quality assurance and security standpoint, these revisions should be treated as entirely separate products, each requiring its own testing and validation process. But how would you even know to do that without using Anvil to detect the discrepancy? The packaging alone does not give it away.

It appears the manufacturer took advantage of the large order to offload outdated inventory. Not on Anvil’s watch.

Anvil quickly and easily flagged the inconsistency—identifying different products within the batch using a simple test that took only seconds and a few button presses.

Now our customer knows which supplier to avoid for 2FA keys. The real question is: do you know who to trust for the COTS systems you’re buying?

Why Is This Mix in COTS Problematic

Key reasons on avoiding suppliers like the one we talked about include:

1. Questionable and non-transparent business practices are well-identified precursors to cybersecurity failures. The history of high-profile cybersecurity breaches is filled with examples where companies engaged in dubious business behavior: SolarWinds ignored repeated security warnings and leaks, Equifax failed to patch known vulnerabilities, and Target neglected to enforce cybersecurity standards on third-party contractors. In our case, by delivering a significantly outdated version of their hardware — mixing Version 1.0 with Version 3.2 — without any prior notification, the supplier has demonstrated a clear priority: clearing out obsolete inventory rather than upholding cybersecurity best practices.
2. Failing to communicate hardware revisions violates both compliance obligations and security configuration management (SCM) principles. Every major cybersecurity framework—such as the NIST Cybersecurity Framework, ISO/IEC27001, and CIS Controls—identifies SCM as a critical control. SCM refers to the process of establishing, maintaining, and auditing secure configurations for all assets, including hardware, to minimize vulnerabilities and ensure alignment with security policies. It involves identifying approved configurations, tracking changes, and detecting unauthorized deviations top reserve system integrity and reduce the attack surface.
   By distributing different hardware revisions of the same product without notice, the supplier undermines SCM and potentially causes the recipient to fail compliance audits, especially if these deviations are not immediately detected and remediated.
3. Multiple undisclosed hardware versions create an exponential cybersecurity risk. Each hardware configuration introduces a unique attack surface, increases operational complexity, and multiplies the potential points of failure. This makes it dramatically more difficult to monitor, secure, and maintain the system effectively. New configurations introduce additional burdens for patching, security monitoring, compliance management, and threat modeling.

Each hardware revision we received contains a different Hardware Bill of Materials (HBOM). This means each variant potentially exposes different vulnerabilities and requires separate monitoring, patching, and inventory tracking. However, because the supplier failed to disclose these hardware changes, effective security management is rendered impossible.

Conclusion

Authorized seller programs can be intricate ecosystems — some manufacturers maintain tens of thousands of registered resellers — making it difficult to ensure product consistency and traceability. In a seemingly routine case, Palitronica was tasked with evaluating manufacturer and product integrity for a customer through a comprehensive Anvil CheckPoint scorecard assessment.

During this evaluation, we uncovered a critical supply chain vulnerability: one manufacturer had silently shipped two fundamentally different hardware revisions within a single order — one modern and one outdated. This was not a minor version increment, but a significant design divergence with distinct hardware Bills of Materials (HBOMs),introducing different security implications, monitoring requirements, and compliance risks.

Anvil detected the silent switch. Anvil raised the red flag.

Thanks to this detection, our customer now has clear, actionable intelligence about their supplier’s practices and can proactively mitigate procurement and compliance risks. What seemed like a simple delivery revealed a profound breakdown in secure supply chain practices—exactly the kind of silent threat that leads to cybersecurity failures.