From data centre servers to CCTV cameras, from PCB assemblies to communication interface units, a flood of refurbished, counterfeit, and tampered hardware is entering India’s digital ecosystem every day. The customs system cannot stop it. The laws do not adequately penalise it. And no one can tell an original from a fake at the port gate.
Somewhere at Nhava Sheva, India’s busiest container port, a consignment of networking equipment clears customs. The documentation is in order. The HSN code is correct. The declared value is plausible. The importer is a registered entity. Within days, the equipment, routers, switches, communication interface units, all find their way into a government office network, a bank’s branch infrastructure, or a surveillance system in a smart city project. Nobody asks whether the devices are new or refurbished. Nobody checks whether the firmware running on them is the manufacturer’s original.
Nobody verifies that the serial numbers are genuine.
This is not a hypothetical. It is a daily reality playing out at ports and container terminals across India. And it is one of the most consequential vulnerabilities in the country’s digital infrastructure that almost nobody is talking about at the scale the problem deserves.
The grey flood
India imports tens of billions of dollars’ worth of IT and electronics hardware every year. Servers, storage systems, GPUs, networking equipment, printed circuit board assemblies, modems, surveillance cameras, data centre infrastructure, the entire physical backbone of the country’s digital ambitions travels through ports and air cargo terminals, declared, classified, and cleared.
Buried within that legitimate trade is a parallel stream that is neither legitimate nor traceable. Refurbished equipment sold as new. Counterfeit components inside authentic-looking packaging. Hardware with tampered firmware. Devices that carry a brand name but were never manufactured by that brand. The scale of this infiltration is difficult to quantify precisely, which is itself part of the problem. What is clear is that the system designed to filter it cannot, at current volumes and with current tools, do so reliably.
The fundamental design flaw is hiding in plain sight. India’s Harmonised System of Nomenclature, the HSN coding system that classifies every import for customs purposes, makes no distinction between new and refurbished equipment. A brand new server from an authorised manufacturer and a refurbished server of the same model, rebuilt in a workshop in Shenzhen and repackaged as new, both enter India under the identical HSN code, with identical documentation requirements, and subject to identical inspection protocols. For customs purposes, they are the same thing. They are not.
There is no difference in HSN classification between a new router and a refurbished one. The customs system, by design, cannot tell them apart.
This classification blindness creates a structural arbitrage opportunity that the grey market exploits systematically.
Refurbished equipment typically costs a fraction of new equipment. When it enters India classified identically to new equipment and is sold at near-new prices, the margin for those in the trade is substantial. The end buyer, whether a system integrator, a government procurement agency, or a corporate IT department, often has no reliable means of verification. The equipment looks right. The paperwork looks right. The price may even seem right.
Why physical checks cannot solve this
The instinctive response to this problem is more inspection. More officers at ports. More consignments opened and examined. More risk-based sampling. It is an understandable instinct. It is also, at Indian import volumes, a fantasy.
India handles over 15 million TEUs, or twenty-foot equivalent units, of container traffic annually, with Nhava Sheva alone processing several million. Electronic imports arrive in containers, in air cargo consignments, in courier shipments, in mixed loads where IT equipment is one item among dozens.
The sheer volume makes comprehensive physical inspection impossible. Risk-based sampling helps at the margins but cannot address a problem that, by its nature, is designed to look like legitimate trade.
The deeper issue is that physical inspection, even when it happens, cannot detect the most serious risks. A refurbished server looks identical to a new one. A networking device running modified firmware is visually indistinguishable from one running the manufacturer’s original. A PCB assembly containing counterfeit chips cannot be identified by opening a box and looking at it. The risks that matter most in this problem are not visible. They are embedded in firmware, in silicon, in the history of a device that its current packaging conceals.
In 2024, India made significant moves to regulate CCTV imports, mandating BIS certification for surveillance equipment to address concerns about devices of Chinese origin connecting to Indian networks. It was a necessary step. But CCTV cameras are one category. The same risk profile extends across the entire hardware spectrum into storage systems, data centre servers, communication interface units, industrial controllers, and network switches, where no equivalent certification mandate currently exists.
The software and firmware dimension
Hardware counterfeiting and refurbishment are visible parts of the problem. The invisible part is what runs on the hardware after it is deployed.
Pirated operating systems and enterprise software bundled with hardware at the point of purchase are commonplace in segments of the Indian IT market. For a small business buyer, a school, or a local government office, the temptation of a fully ‘configured’ system at a fraction of licensed cost is real and understandable. Government procurement systems also encourage least-cost purchases. What that buyer typically does not know is that the pirated software may carry modifications, that the licence keys are stolen, that the vendor has no legitimate relationship with the software manufacturer, and that the system will receive no security updates because it cannot authenticate with the manufacturer’s servers.
Firmware is a more serious concern still. Firmware is the low-level software permanently embedded in a hardware device, in routers, switches, storage controllers, network interface cards, and industrial equipment. It operates below the operating system, is largely invisible to standard security tools, and persists across system reinstalls. If the firmware running on a device has been modified — to introduce a backdoor, to phone home to an unauthorised server, to degrade performance in specific conditions, or simply to disguise the device’s actual operational history — the organisation deploying it has almost no practical means of detection.
This is not a theoretical attack vector. Supply chain firmware compromise has been documented in multiple contexts globally. The concern is not that every refurbished device carries malicious firmware. It is that the current system provides no structured basis for distinguishing devices that do from those that do not. When a government department deploys a networking device with compromised firmware onto its administrative network, it has not made a security decision. It has made an assumption. And the assumption may be wrong.
Firmware compromise is invisible to standard security tools, persists across reinstalls, and operates below the level of any conventional defence. It is the attack surface no one is watching.
The enforcement gap
India’s enforcement architecture for import integrity is spread across several bodies, the Directorate General of Foreign Trade, the Bureau of Indian Standards, the Central Board of Indirect Taxes and Customs, and sector-specific regulators.
Each has a legitimate mandate. None has been designed to address the specific problem of hardware authenticity at the intersection of classification, valuation, and post-deployment integrity.
The penalties for misdeclaration of imports, while not trivial, have not functioned as an adequate deterrent in this domain. The economic incentive for introducing refurbished equipment as new is large. The probability of detection at current inspection rates is low. The penalty, if detected, is, for a significant operator, a manageable cost of doing business. That calculus needs to change fundamentally.
Post-import traceability is almost non-existent. Once hardware clears customs and enters the supply chain, it diffuses into the market with no systematic mechanism for tracking its provenance or verifying its authenticity. A server that enters Nhava Sheva today may be in a government data centre in Lucknow in three weeks. If a problem is discovered, whether a backdoor, a performance anomaly, or a firmware discrepancy, tracing it back to the original import consignment is extremely difficult. Recall is practically impossible.
The network connectivity dimension of this problem has received insufficient attention. Critical systems, government administrative networks, banking infrastructure, telecom backbones, and defence networks all operate on the implicit assumption that the hardware connected to them is what its documentation claims it to be. There is currently no systematic architecture for verifying this assumption at the point of network connection. Unauthorised or unverified hardware connects to critical networks every day, not through malice, but through the absence of a framework that requires anything different.
From inspection to intelligence: What needs to change
The solution is not more inspectors at ports. India cannot inspect its way out of a problem that is, at its core, a failure of systemic design. What is needed is a fundamental redesign of the verification architecture: moving from inspection-based control, which cannot scale, to intelligence-driven verification, which can.
The most important single reform is HSN differentiation. New, refurbished, and reconditioned equipment should carry distinct sub-classifications, with different documentation requirements, different duty treatments, and different inspection triggers. This reform does not require new institutions. It requires a policy decision at the Ministry of Finance and CBIC. Its effect would be immediate: the classification arbitrage that currently enables refurbished equipment to enter invisibly would be structurally closed.
Alongside HSN reform, value mapping needs to become an active enforcement tool. The declared transaction value of an import consignment can be benchmarked against known market values for genuine new equipment of that specification. A shipment of servers declared at thirty percent of the going rate for that model is either misdeclared or counterfeit. Both possibilities warrant investigation. Automated anomaly detection against benchmark pricing already exists in principle in customs risk management systems. It needs to be applied systematically to high-value electronics imports.
Serial number declaration for high-value components, such as servers, storage systems, networking equipment, and GPUs, should become mandatory at the point of import. Secure API integration with original equipment manufacturers, allowing customs to validate declared serial numbers against manufacturer databases in near real time, would transform the authentication problem from a manual and impossible task into an automated and tractable one. Several major OEMs have the technical capacity and willingness to support such integration. What is needed is the regulatory mandate requiring it.
Refurbished imports should not be banned. There are legitimate markets for certified refurbished equipment, particularly in cost-sensitive applications in the non-critical sector. But legitimacy requires transparency: disclosure of prior use, certification of the refurbishment process against defined standards, and explicit restriction of use to appropriate deployment contexts. A licensing regime for refurbished hardware imports, administered under DGFT, would bring this market into the open rather than driving it further underground.
On the software and firmware side, mandatory licensing declarations and firmware integrity certification for hardware deployed in critical sectors are achievable requirements. The technology for firmware hashing and integrity verification exists and is widely deployed by responsible OEMs. What is absent is the regulatory requirement that deployers of critical infrastructure hardware verify firmware integrity before deployment, and that platform providers certify that devices carry unmodified manufacturer firmware.
The network connectivity provision is perhaps the most immediately enforceable. Government networks, banking infrastructure, and telecom systems already operate under regulatory frameworks. Adding a requirement that only hardware meeting defined authenticity and firmware integrity standards may connect to these networks is operationally achievable and would immediately close the most consequential exposure.
Finally, the penalty regime must change. High financial penalties for misdeclaration, blacklisting of repeat offenders from import licences, and criminal liability provisions for those who introduce counterfeit or compromised hardware into critical infrastructure, these are not disproportionate responses. They are proportionate responses to a risk that, if it materialises at scale in a critical system, could cost orders of magnitude more than the penalty ever would.
The urgency beneath the surface
India is building a digital infrastructure of extraordinary ambition. The data centres, the government networks, the smart city surveillance systems, the financial switching infrastructure, and the defence communication networks, all of it rests on hardware whose integrity the country currently cannot systematically guarantee.
This is not a future risk. The hardware with uncertain provenance is already in the ecosystem. Some of it is already connected to networks that matter. The question is not whether India will have a hardware integrity incident. The question is whether it will have the systems to detect one when it occurs, and the architecture to prevent the next one.
India’s digital success story is real. Its cybersecurity response institutions are growing in seriousness and capability. But a country that can detect a software intrusion and cannot verify the integrity of the hardware its networks run on has not solved the security problem. It has built a strong lock on a door with an uncertain frame.
Securing the hardware and software supply chain is not protectionism. It is not a statement of distrust towards any country or trading partner. It is the fundamental obligation of any serious digital state to know what is running on its infrastructure, to be able to verify it, and to be able to act when the answer is wrong.
India has mastered digital scale. The next phase will be determined by whether it can master digital trust.
The tools for doing so exist. The policy levers are available. The only thing that has been missing is the urgency to use them.
Before the problem forces the question in a context where the answer comes too late.
(Lt Gen M U Nair (retired) is the former National Cyber Security Coordinator, Government of India, and a former Signal Officer in Chief, Indian Army.)
(The opinions expressed in this article are those of the author and do not purport to reflect the opinions or views of THE WEEK.)