X
Business
Home Business Companies Cisco

Is Cisco killing their own reputation?

Last Wednesday in Las Vegas Nevada, Michael Lynn delivered a message to the IT world that they are not safe.  On that same day, Mr.
Written by George Ou, Contributor

Last Wednesday in Las Vegas Nevada, Michael Lynn delivered a message to the IT world that they are not safe.  On that same day, Mr. Lynn became unemployed and the target of a massive lawsuit from Cisco Systems.  His only "crime" was that he exercised his first amendment right of free speech to talk about how existing vulnerabilities in IOS known to Cisco for months that could lead to a Cisco router or switch being hijacked.  Lynn performed a live demonstration against the Cisco vulnerability to prove his point which was arguably less than what two FBI agents did earlier this year to prove how existing Wi-Fi vulnerabilities could be exploited.  Humphrey Cheung covered this event and posted this article with some photos and a detailed explanation of what transpired on that day.  By Thursday, Cisco had settled with Mr. Lynn with the promise that he would never talk about this security vulnerability exploit again.

In addition to suing Michael Lynn, Cisco also sued the Black Hat convention for allowing Mr. Lynn to speak even though the Black Hat group had allowed Cisco to come in like the Gestapo and destroy all the material and CDs pertaining to Mr. Lynn's security presentation.  As far as Black Hat was concerned, Michael Lynn was going to give a security presentation on VoIP.  On Friday, Cisco sued a few more websites for publishing the contents of Michael Lynn's presentation.  By now however, the cat is out of the bag and the information has already been copied around the world thousands of times.  Cisco's justification for gagging Lynn's research was to thwart irresponsible disclosure, but when you look at the facts in the case you really have to wonder about Cisco's motives.

It is important to recognize some facts about Michael Lynn's presentation:

  • Lynn did not talk about any new Cisco IOS vulnerabilities.
  • The vulnerabilities Lynn was speaking of had been known to Cisco for months and an updated IOS had already been released to mitigate the issue, but no warnings were issued to Cisco customers that it was urgent for them to update.
  • Lynn never showed or distributed any of the proof-of-concept exploit code.
  • There were already Chinese hacking forums on the Internet boasting that hey had already remotely exploited some Cisco routers months ago.

I've talked about responsible and ethical disclosure before and I'll be the first to speak out against reckless disclosures, but this was clearly not a case of irresponsible disclosure.  This isn't a case where a security researcher finds a serious vulnerability and then immediately releases the proof-of-concept exploit code to the whole world without notifying the vendor or let them have a chance to patch the hole.  All Michael Lynn did was demonstrate for the first time in public that it is possible to take over a Cisco router to obtain "enable mode" (equivalent of the Windows "Administrator" account or UNIX "root" account) on a Cisco router that wasn't running the latest IOS code.  This was a demonstration that worked on existing vulnerabilities that were already patched.  Michael Lynn simply wanted the world to know that the network backbone of the Internet and nearly every organization on the planet could be hijacked if the latest Cisco IOS software wasn't installed.  Cisco simply didn't want anyone to talk about it in fear of negative PR and set out to put a gag on Black Hat 2005 which ironically has brought ten times the attention to the vulnerability that it would have had otherwise.

While most core Internet backbone routers are usually up-to-date because they can't afford any kind of vulnerabilities leading to downtime or system compromise, this isn't the case for most businesses and organizations where nearly all switches and routers are never routinely updated.  Not only are they not routinely updated, it's very common for Cisco switches and routers to be running on software that is 3 or more years old because they are thought of as plumbing that you just install and forget.  There is still a wide spread belief that Cisco IOS could never be remotely exploited and the attitude that "if it ain't broke don't fix it".  While some of this hesitation to update network infrastructure equipment is understandable because updated software can sometimes cause temporary infrastructure breakage which requires troubleshooting, the risks of not updating are now substantial.  If a Cisco IOS router or switch was hacked, the following attacks can be perpetrated on the network with vulnerable IOS:

  • All traffic from a network with a hijacked router or switch can be stopped.  If this were a major Internet hub, millions could be affected.
  • Internet routing tables could be corrupted causing massive routing problems and connectivity issues across the Internet.
  • DNS (Domain Name Service) can be hijacked using traffic redirection techniques.
  • All websites can easily be redirected and forged.
  • All traffic from a network with a hijacked router can be diverted to a hacker for a man-in-the-middle attack.  Think of this as the ultimate wire tap.
  • Passwords could be stolen leading up to further compromises in security.

As a result of last week's incident, Cisco finally released this late security advisory to warn its customers to update their IOS software.  But the sad reality is that few businesses and organizations will take heed of this warning and continue running unpatched IOS until an eminent threat surfaces.

Editorial standards
Show Comments

Related

asus-zenbook-14-main

The work laptop I recommend to most people is not made by Apple or Lenovo

Microsoft Copilot

7 reasons I use Copilot instead of ChatGPT

Bose QuietComfort Ultra case

Why I travel with Bose's QuietComfort Ultra headphones instead of the Sony XM5