Slashdot Mirror
Cisco Products Have Backdoors
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
I wonder of these insecurities are in my Cisco 350 series aironet radio card? My ISP should be informed of this if they are there.
You're right, I wouldn't steal a car. But if it were possible, I sure as hell would download one!
Great. So... that makes it Ok then?
Do they plan on releasing a firmware update? If so, how do we know they aren't going to put another backdoor into that and simply change the information? Is there a way they can make the firmware patch open source without giving away their other "proprietary" source?
-- johntracy.com, because everybody else is wrong.
(According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)
I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!
Simon
Physicists get Hadrons!
People read about these back doors, and they are appalled by the concept of it. I wish it was that easy. I design software for embedded devices and let me tell you, as soon as you add a password mechanism, then someone will lose the password within days. It's happened to me, and I finally had to put a global password in every machine. You hope that no one will ever find out, but once you tell a single customer, it could spread. I'm fortunate that my userbase is small and spread out, but for Cisco, this could be a disaster. If they made it so the master password could only be put in locally, that would be a big help, but may not be possible on these devices.
-Patrick
"They never stop thinking about new ways to harm our country and our people, and neither do we."
Hmm yes, like when SGI shipped their machines with much the same problem. Has nearly a decade of fighting computer intrusion taught them nothing. Thats pretty shoddy Cisco.
I don't read your sig, why do you read mine?
Nobody but a few key developers have a clue that the fix is not actually a fix.
It's just a theory, and if you look at my post, I fully admit - it's paranoid.
Kinetic stupidity has a new brand leader: Allen Zadr.
If it is necessary to have a backdoor, it should only be enabled temporarily via a switch/hardware button (in the case that the admin password was forgotten).
I.e. in order to get in through the backdoor, you need to hold down a button for 10 seconds, and the login will be enabled for the next 2 minutes (which should be enough time to change the admin pw if it is forgotten). This would require that the site be physically secure; however would prevent those from remotely accessing the backdoor (unless someone is actually there to hit this 'switch).
I totally disagree, If the company who purchases the product doesn't take sufficient action to see that thier data isn't lost it is thier fault. After all they could put a common user/pass on all thier systems themselves (self back door).
I'm very sorry, but if I found out that someone had backdoor'd one of my systems I;d like to know why, and "I thought you were too stupid to ensure your own data" is not an excuse I'd be willing take!
I was called by a apartment complex that offered broadband to tenants. Apparently, one of the kids (mostly college students) had taken a networking class or something, and telneted in to the switches, and screwed a bunch of stuff up.
Of course, he changed the password to who knows what, so we had to call Nortel up and read them the serial number from each switch, and they gave us a backdoor password. I belive it was generated by a program they had. We had to verify proof of purchase and everything with the company, but who couldn't forge a Invoice from CDW or Insight?
Cisco actually has a better track record than some other closed source vendors I could mention.
That's a silly comment. Up until a few hours ago you would have thought Cisco was pretty good. Now they have done a really stupid thing and have been caught red-handed.
The question we should be asking is what else have they done that their customers would object to if they knew about it?
Call me paranoid, but this is exactly the sort of behaviour that I expect from software/hardware manufacturers. Cisco just happened to get caught doing it.
Cisco IOS routers don't have to have a "master password" backdoor; they have a well-defined process for password recovery (typically you connect to the console port, interrupt the boot at the firmware level, and change a register - then you are in with no password and can reset it).
Another example: Livingston PortMasters also don't have a "master password" backdoor. You hook up to the console port, flip a dip switch and use a special login. That issues a challenge string, which you then send to Livingston (or now portmasters.com). You get a respose string and use it to log in, and then you change the password.
The common assumption is that full physical access implies ownership; that is a reasonable assumption (since if someone can get at it, they can take it).
How can they do better? The phrase "best of our ability" means they cannot be surer of the statements' accuracy. They can get away with "We tried our best" because they cannot have tried harder.
...of the phrase that President Regan used to tell Gorbie all the time "Trust, but verify."
Cisco has been a major player for a long time, so we have a de-facto trust relationship with them, but we need to be able to verify their account guarding. All they need to do is open the firmware up and let the million eyes peer through it. Any vulnerability detected and not reported by one will surely be caught by another, and assuming he's not trustworthy either there are still more eyes. Quis custodiet ipsos custodes. The only problem is if the flaw doesn't exist in only flashable firmware (i.e.: in hardware someplace that can't be modified at all)--then that would be an issue. I think we can trust the Cisco hardware, it's the flashed system that needs to be checked.
So, Cisco, how about opening that up? Come on, be a pal....
That fix, be-it an actual removal of the userid/password, or a paranoid password change, is just as installable, either way.
/. isn't exactly what would qualify as a secret now, is it?
Upgrading firmware or substantive software is always a process of weighing costs v benefits. The costant cost of upgrade is that something breaks and renders years of investment at risk. Bodies in motion tend to stay in motion is almost as true for computers as physical bodies with mass.
So while "just as installable" may be an accurate way of saying a password change is just as installable as a username/password removale, what you are not addressing is the alert that is often needed to light the fire of sysadmins to apply that fix. In this case, anything less than disclosure would have been seen as disengenious as many would not have been given accurate enough information to perform the cost benefit analysis of upgrading.
And a post on
I'm not seeing where you are comeing from or where you are going with this. But it seems important, you may wish to elucidate.
Apparently his company was approached by Cisco, on the feasability of using their GPS chips in "all of our [Cisco's] upcoming products." From the discussions, it appeared that Cisco wanted to put GPS capabilities in their routers and such, but they were being hush-hush about it, implying that this wasn't to be a publicly known feature.
And before you say "You can't use GPS in a data center", I should note that at least one company in that field has a chipset which is known to work well inside of buildings. And ethernet cables make huge antennas.
A Cisco exec should do hard time for this.
From the Slashdot story: "Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
This should be shortened to: "Can we trust closed-source vendors?"
History has shown that we cannot.
Take Microsoft for example. LUGOD maintains a list of stories about Microsoft abusiveness: Reasons to Avoid Microsoft. I counted more than 200 in 2002, and things have gotten worse since then.
(This seems to be one of the few times that Open Source advocates have invented an interesting name: Linux User GOD. Sounds like a new religion.)
Part of the problem seems to be that, eventually, closed-source vendors begin to be controlled by managers who have no technical experience. Such managers can help the company make more money only by abusing the customer, because they don't know enough to contribute to technical improvements.
Why has Google risen to prominence so quickly? Partly because they know what they are doing technically. But largely because they have a policy of "do no harm". It's a simple policy, but most managers are not able to come to the conclusion they should follow it.
Most managers seem to have received their training by mimicing the abusive, ignorant PHB in Dilbert cartoons. Think what a terrible world we live in that Dilbert is considered funny!
I know most Open Source developers are uncomfortable with this description, but they approach their work as an act of love. Whatever the reason, history has shown that they are far more trustworthy.
Well, yeah. Considering Cisco's market penetration and popularity it is amazing they have had so few security problems. They have a track record that even Apache should envy. One mistake and some of that slashdot mind-droids are spouting "well, that is because they are not open source".
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Find out here Its not the router Its not the radio Its not the switch Its the management platform that you can use to monitor your wireless connections. Why any company would allow network access to this device from a un-secure network is beyond me. Still don't know why its frontpage news, besides the fact it gives us a chance to bash closed source systems.
I do not.
IMO, you definitely do not understand how Cisco marketing functions. It took me 5+ years of dealing with it to start understanding it. Basically, every single IOS release they shipped is bug ridden beyond any reasonable limits. Any other company shipping such crap would have failed long ago. They did not. The reason is that they have created cottage industries of "certified specialists" all over the world which will make sure that their customers and employers will never buy anything but Cisco and never hire an unfettered one. Just have a look how many banks run "Cisco Only Networks". The reason for this is simple. They are employed because there is always something wrong and there is always something to fix. Cisco knows this and it will never ever kill what makes 90% of its enterprise sales.
This is also the reason why even Cisco supplied GUI or centralised management solutions never manage some features. This is also the reason why there is no way in hell for you to get anywhere trying to manage Cisco gear using industry standard protocols. Ever tried to do some alteration of IP parameteres on Cisco via SNMP? I am not even talking about rocket science like the diff-serv MIB or the BGP MIB. Ever tried to hook it a proper element manager without few Ms of glue code that does direct CLI? Dream on...
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Cisco is bad because it doesn't sell open source solutions?
No, Cisco is bad because they stuck a backdoor into their product that potentially fucked over a bunch of their customers.
I bet half your jobs depend on cisco.
And what kind of half-assed argument is that? Just because people use their products doesn't mean that their jobs depend on Cisco. Cisco can be ripped out and replaced just like most vendors. Get some Foundry or Nortel equipment.
Oh yeah, and fuck you too.
Where's my lobbyist? Right here.
Exactly. I'd tried "we don't have a backup of the router config" pretty much the same as "we don't have a backup of the webserver" when deciding how badly I'd have to lart the respective administrator. Even little home routers often have the ability to transfer their configs, even if just via their web interface.
Dewey, what part of this looks like authorities should be involved?
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Well, we certainly can't trust Cisco anymore. The reason is because trust is built up by having the ability to screw up and then not doing so. Cisco has clearly violated the trust of anybody who wanted a zero-backdoor product, and I submit that this breach is one that cannot be recovered from.
However, I certainly understand why Cisco insists on there being such a hard-coded full-control backdoor. If you ever lose possession of the root password, you are screwed and you can turn a big-dollarsign router into a paperweight. It makes sense that Cisco should be able to swap your locked-up router for a like part in its default settings, and then be able to recover most of its value as an "open box" "remanufactured" item since there was nothing wrong with it other than an unknown password that since has been reset.
Really, I'm not mad at Cisco for having backdoors as much as the fact that they refused to admit that there were secret backdoors.
I'm not sure backdoors are as blantantly obvious. What about something like this?
hash = getHash(password)
if (hash) {
return (*hash == *storedhash);
} else {
logAuthError("Hash could not be found");
return FALSE;
}
Looks correct, but if I modify getHash to return NULL when the password is a certain string, and logAuthError is actually buried in a separate header, it doesn't actually log an error, it returns TRUE.