Cisco Systems Will Be Auditing Their Code For Backdoors

An anonymous reader writes: In the wake of the discovery of two backdoors on Juniper's NetScreen firewall devices, Cisco Systems has announced that they will be reviewing the software running on their devices, just in case. Anthony Grieco, a Senior Director of the Security and Trust Organization at Cisco, made sure to first point out that the popular networking equipment manufacturer has a "no backdoor" policy. According to Grieco, Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk. Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience. The reviewers will be looking for backdoors, hardcoded or undocumented account credentials, covert communication channels and undocumented traffic diversions.

You mean

They havent been already?

Re:You mean

[NatasRevol]

I think this is what bothers me more than anything.

Re:You mean

[rubycodez]

No, time and again their products have exploits that had fixes for a long time. No one should use cisco products, they aren't secure.

Re:You mean

[Nutria]

Security analysis is a long and tedious process performed by specialists. Is it really any wonder that so few projects have it done?

Re:You mean

[kheldan]

Allow me to translate:

Cisco systems will pretend to audit their firmware for backdoors -- while simultaneously be reaching behind them for their NSA/CIA/FBI payout for their 'services to their Country'

Re:You mean

[macs4all]

Allow me to translate:

Cisco systems will pretend to audit their firmware for backdoors -- while simultaneously be reaching behind them for their NSA/CIA/FBI payout for their 'services to their Country'

EXACTLY what I came here to say.

Re:You mean

Why do you think Cisco is so peeved that the NSA intercepts deliveries to customers to install backdoored firmware?

Re:You mean

If Truecrypt, can do it. Anyone can. I'd like to think Cisco has more money to foot the bill.

They just don't want to know how bad it is.[or anyone else for that matter]

Re:You mean

[LWATCDR]

I am sure they have but now they have a pattern to look for.

Re:You mean

No, time and again their products have exploits that had fixes for a long time. No one should use cisco products, they aren't secure.

You're an idiot. If you're a Carrier network or large Enterprise, you have two options- Juniper or Cisco. Nobody else makes hardware that even comes close when you're talking routing and switching. IF Cisco (or Juniper) were as insecure as you claim, the entire internet would have been completely owned long ago.

Yes, there have been issues at times with various specific product lines. But neither Cisco's primary IOS nor Juniper's Junos have ever had a large-scale issue in regards to security, and what issues have shown up over the years have been simple to mitigate or render moot, and are fixed quickly... usually long before the media ever gets wind of it. Most of the problems show up in the crappier low-end product lines, or platforms that are already end of life.

There's no good reason you should even have the device's management interface directly exposed to the public internet. Period. If you want to be able to remotely manage your equipment, you setup a VPN which will then give access to your internal, privately addressed (i.e. not publicly routable) management network, and access the equipment from the inside. You should ***NEVER*** be able to directly open a connection, either via SSH or any other method, from the 'wild' internet... it's just flat out stupid even if there are no flaws in your equipment.

Re:You mean

[davester666]

They also need to check if any the employee's with code change privileges have been getting outside bonus's from the NSA.

Re:You mean

[fizzer06]

Up until now, they have been auditing their backdoor for code.

Re:You mean

You might want to conduct a self-test, because it appears that you're trapped inside a classic Conspiracy Theorist reasoning loop. If Cisco does nothing, clearly it's proof they're conspiring against their customers. If Cisco does do something, then... apparently it's clearly STILL proof that they're conspiring against their customers?

So oh wise one who uniquely sees through all these conspiracies and lies to discern the Real Truth, save Cisco some time on their foolish, shallow tricks: What, precisely, DO they have to do before you're satisfied?

Re:You mean

[sphealey]

= = = You're an idiot. If you're a Carrier network or large Enterprise, you have two options- Juniper or Cisco. Nobody else makes hardware that even comes close when you're talking routing and switching. = = =

A bit of an exaggeration, but reasonably correct.

= = =IF Cisco (or Juniper) were as insecure as you claim, the entire internet would have been completely owned long ago.= = =

I think at this point we have to accept that the entire Internet being owned is a fact, and probably has been since the first malicious sniffer was found on the backbone (around 1994 IIRC, although the memory is a bit dim). It seems reasonable to think that all the world's major sigint agencies have operatives/moles deep inside the major equipment and software providers and that all core infrastructure is cracked and spewing our information.

sPh

Re: You mean

[IBME]

Yeah and I hope they choke on it biiiiig time!

Re: You mean

[IBME]

Too true. I have no faith in the cert authorities either. Time will tell all.

Re:You mean

[KGIII]

What, precisely, DO they have to do before you're satisfied?

Well, they can start with that tongue thing between my nutsack and inner thigh and we'll figure it out from there.

Err... I have some bad memories associated with Cisco. Then I found Juniper. Now, I don't do jack shit any more but Juniper was pretty good for my company. Cisco kit was like twice as expensive - or more. I was able to sell the used kit and make back much of what I'd spent on the *upgrade* to Juniper.

So yeah, Cisco and lick my taint too, seeing as they're down there.

Hmm... I need to see a therapist or something. I seriously hate them. I hate them almost as much as I hate Oracle.

Re: You mean

Hmm... I need to see a therapist or something. I seriously hate them. I hate them almost as much as I hate Oracle.

No man, that's just normal.

Re:You mean

[gweihir]

Naaa, they may have found something. You know, like Juniper did. It is only now after Juniper did the right thing, that Cisco feels compelled to do so too. I am sure they would have avoided it if they saw some way to do that. I am also sure they will try hard to not find anything, if at all possible without breaking credibility completely.

Re:You mean

[gweihir]

There may often not be a choice. However, it is not smart to trust their hardware, so you need firewalls and/or passive monitoring equipment that you do trust. Sniffing passively for connections to your firewall that should not be there is not even hard. (Of course, only very few people do that, as it costs money...)

Re:You mean

[gweihir]

In relation to the assets protected, it usually is peanuts. My guess is it is so rare because they do not want to look, as that could bring negative press, a need to "do something", and maybe (depending what agreements they have with the NSA, Russian intelligence, Chinese intelligence, GCHQ, etc.) even a need to hide a new set of backdoors a lot better.

Re:You mean

[gweihir]

That depends. If they think they can get away with it, they will have somebody corrupt do the audit. That is then one security company with a potential reputation problem. But exactly because of that effect, they may actually not be able to get anybody both reputable and corrupt.

Of course, if they do it in-house, the worth of the results is exactly zero.

Re:You mean

[Nutria]

In relation to the assets protected

That requires long-term thinking.

My guess is it is so rare because they do not ...

want to spend the money. I've been in the computer world -- first as a programmer, and then as a DBA -- for 25+ years, mostly for Very Large Businesses, and there's one undeniable truth: bean counters rule the roost.

Re:You mean

[AmiMoJo]

A) Huwawei and a few others make similar equipment. Much of the backbone in Japan runs on NEC routers, for example.

B) The internet was owned by the NSA/GCHQ exploiting zero day bugs and backdoors, or simply intercepting Cisco gear and installing malware before it got to the customer.

Re:You mean

[rubycodez]

You are the idiot, you yourself mentioned one alternative to Cisco and there is more than Juniper

  plenty of remote exploits, non-management interface, have existed. google it and look at the massive volume of pages returned.

Re:You mean

[xiux]

If you're a Carrier network or large Enterprise, you have two options- Juniper or Cisco. Nobody else makes hardware that even comes close when you're talking routing and switching.

Cisco has the market in the enterprise, but the service provider space is a bit more competitive, simply because service providers generally don't like to single source major components to their core business. Many are now looking into white box configurations with SDN.

There's no good reason you should even have the device's management interface directly exposed to the public internet.

Many times the management interface of a routing device are not used in leu of a management IP address on a software loopback interface. This is so the device is reachable in the event of a link failure, because the management address is associated with an interface (software) that will never be withdrawn from the routing table. All the management IP needs to be reachable is at least one functioning routed interface.

If you want to be able to remotely manage your equipment, you setup a VPN

I'm not sure I would trust an SSL, or better yet a TLS encrypted tunnel over an SSH connection. The OpenBSD guys tend to be pretty paranoid about security; the OpenSSL community doesn't have the same reputation. Ultimately it comes down to the implementation that is more trusted; for example, I would trust an an OpenBSD based OpenSSH server over a Cisco device for receiving SSH connections directly from the internet.

which will then give access to your internal, privately addressed (i.e. not publicly routable) management network, and access the equipment from the inside

I don't think of private addressing as a strong security measure. Having adequate access controls at administrative boundaries would be more effective and less complex. It's been repeated many times on this forum and others, NAT is not a security feature.

You should ***NEVER*** be able to directly open a connection, either via SSH or any other method, from the 'wild' internet... it's just flat out stupid even if there are no flaws in your equipment.

Multiple layers of security are definitely helpful. It diminishes the effectiveness if the same credentials are used to secure each layer.

Re:You mean

[kheldan]

What, precisely, DO they have to do before you're satisfied?

No one likely will see this, but I'll say it anyway: They could go completely open-source with their firmware, allowing anyone and everyone to examine it, and compile it, compare the resulting binary to what's shipped on a device, and allowing the meticulous, cautious types to compile and upload the resulting binaries to their devices, ensuring that there aren't any backdoors in the code. It would also allow 3rd parties to fix any bugs themselves, if they so choose, to their own satisfaction. In a word: Transparency, that's what.

Let's not

and say we did. It's apparent by now that Cisco will do what the NSA tell them to. This is just about saving face, and more importantly, saving that sweet revenue.

Re:Let's not

[phishybongwaters]

The same cisco that immediately changed their shipping routines after the NSA leaks? The same cisco that's setting up pentesting sites so customers can come analyze their devices before they deploy them? I think you said Cisco but meant to say Apple.

Re:Let's not

Sure, until the NSA hands the CIO a NSL prohibitting him from announcing the new backdoor they've been required to install. (and the same goes for Juniper and PaloAlto and anyone else with an office in the U.S.)

Re: Let's not

xianism requies that.

Re:Let's not

[slowdeath]

Don't you mean the *CSA* (ie, the Chinese Security Agency) and not the NSA? Juniper code was infected in China. Cisco has development in China also.

Re:Let's not

[epyT-R]

Simple. To make it look like they're doing something about it. NSLs ensure backdoor cooperation.

Re:Let's not

[epyT-R]

As opposed to a what? A muslim run corporation? An atheist one? Belief in the supernatural has little to do with corporate behavior.

Re:Let's not

[ole_timer]

and that's one of the problems today

Re:Let's not

A friend of mine always thought such stories were conspiracy theories until the last Republican debate. Carly said that she was disappointed with modern tech companies because when she was CEO of HP, she got a call from the NSA and diverted a truck for them to do whatever with that equipment before sending on to its destination.

Re:Let's not

[macs4all]

The same cisco that immediately changed their shipping routines after the NSA leaks? The same cisco that's setting up pentesting sites so customers can come analyze their devices before they deploy them? I think you said Cisco but meant to say Apple.

Where is the proof that Apple has been in cahoots with the NSA/CIA, etc?

I think you said Apple, but meant Lenovo and HP.

Re:Let's not

Yes, the same Cisco that try to save face and revenue in whatever ways they can. Come and test our device and finalize the firmware and software installation? How is that going to help when you can't audit the source-code for hardware, firmware, or software? The U.S gov have the final word on the matter, and that word is that NSA will be all up in U.S tech products. That's how it is, and it won't change.

-1? Really mods? There's nothing wrong with AC's post here. AC is merely expressing a deep cynicism over any US tech corporation's say-so that they're interested in making sure their products cannot be used for intercept purposes. Given everything that's been revealed over the last 15-20 years, I'd say the cynicism is warranted. In any case, AC's post is not flamebait, or trollish.

Re:Let's not

^^Juniper code was infected in China.^^

Source please

Re:Let's not

[jon3k]

If that were true then the TAO wouldn't have had to intercept routers during shipment to backdoor them.

Re:Let's not

[greenfruitsalad]

i think testing cisco equipment for surreptitious traffic when you have only cisco equipment (in a cisco lab) listening down the line will yield no results. a few bits here and there to tag the nsa traffic and the backdoored firmware in routers down the line will simply not increase any counters.

the way to do it is to have a chain of cisco/juniper and huawei routers. huawei will notice traffic headed for nsa, cisco/juniper will notice the chinese backdoor. unless the two are in bed with each other.

Re:Let's not

[mysidia]

A NSL can only require that you deliver information in their possession; if other demands are made, then they are unlawful.

There is no law that allows compelling the manufacturer of a device to add any surveillance feature.

Re:Let's not

A NSL can only require that you deliver information in their possession; if other demands are made, then they are unlawful.

Tell that to Lavabit.

There is no law that allows compelling the manufacturer of a device to add any surveillance feature.

Apparently you've never heard of CALEA.

Re:Let's not

[sphealey]

= = = if other demands are made, then they are unlawful = = =

Tell that to the CEO of QWEST.

Re:Let's not

[epyT-R]

Belief in crazy shit rarely makes things better.

Re:Let's not

In any case, AC's post is not flamebait, or trollish.

True, but -1 Retarded is not an option.

Re: Let's not

Fantastic :)

Re:Let's not

[slowdeath]

Sure: http://www.theregister.co.uk/2...

Just as reliable a source as all those who attribute the code to the NSA.

More reliable IMHO. NetScreen founded by Chinese nationals, sustaining engineering has been done in China.

Re:Let's not

[cfalcon]

The same Cisco that keeps getting pwned hard.

Cisco hasn't rocked the boat on this. I don't know why you brought up Apple- what did they do wrong?

The backdoors here are shocking. At this point, you're better off buying your network hardware from foreigners- or really, you're better off pushing everything through two or more stages, each under a different jurisdiction of manufacture, so that someone would have to know at least more than ONE backdoor.

One this is certain- given how the Juniper patch just reenabled the old backdoor (presumably the intended one), and that they are still using the known-bad "predictable number generator", while having the good one included (and disabled, tee hee!), they are absolutely untrustworthy, and anyone using them is a fool, no MATTER their later actions. If anyone continues to use them, assume that they want more of the same. Cisco is getting close to that too- because even if they mean well (and that's not been proven!), they certainly have demonstrated that they are constantly under attack and losing ground.

Re: Let's not

IIRC, you're the one who thought gotofail had a legitimate accidental commit of code (where no commit/patch would/could ever cause the gotofail).

looking up 2nd opinions on alphabet.com

history repealing itself continues... https://www.youtube.com/watch?v=sjgRbI7yQCI ..read the teepeeleaks etchings,, we're the natives now...

Makes a good case...

[Junta]

For never ever putting an 'appliance' directly on the internet. Particularly when it comes to closed source. It's attractive to think you can get something ready to roll specific to your needs, but it also means putting a huge maintenance burden on the provider of that appliance, with a huge potential set of code that could be compromised, and a higher latency for getting fixes (some appliances need to wait for their image provider, who waits for a well-known distribution to publish, who might wait for upstream to have a fix, on their best days).

At least with software that pulls in only the parts that are truly unique to the use case, then a vendor only is responsible for their own mess, which is a bit easier.

Too bad the trend is appliance-ification for *production*, using a docker pull or download a canned VM, instead of managing an image directly. These are slick and cool ways to evaluate and stand up something quick in a 'trusted' isolated environment (though one should always be vigilant regardless of 'internal' or not, the risk/benefit is different). When you go to an internet facing service, more care should be exhibited.

Really?

While it's nice they are stepping it up its sad it wasn't being done in the first place.

Good PR I suppose

[The-Ixian]

But what happens if they DO actually find something? Will they reveal it? I am guessing not.

Re:Good PR I suppose

Worst case, what if SOMEBODY ELSE finds it first?

Re: Good PR I suppose

[nehumanuscrede]

ãSpãI would think, if they wish to survive, if they found an anomaly, the would have to disclose it at this point. ãS/pã ãSpãIf they fail to do so, and someone else finds it, Cisco may as well throw in the towel. The idea being they're either incompetent or intentionally snuggling up to the three letter agencies. Neither of which are useful in securing trust for your products.ãS/pã ãSpãEspecially after making it public they're doing a security audit of their code.ãS/pã

Re:Good PR I suppose

Not if, when and no they will not reveal it all. They may reveal they found something minor, but they will start issuing patches and updates to their systems that will seem a lot larger then something minor...

Re: Good PR I suppose

What kind of fancy angle brackets were you going for to have slashdot mangle them so badly with its unicode handling?

Re:Good PR I suppose

[Nutria]

Juniper revealed. Why should't Cisco?

Re: Good PR I suppose

[The-Ixian]

Yeah, Cisco would be one of the last companies I would trust, simply *because* their equipment is so ubiquitous. I am sure that three letter agencies have long ago co-opted Cisco.

This whole code audit thing is so much PR BS. Why make a big deal out of it? Shouldn't it be a standard internal practice that would normally never make anyone bat an eye?

It's like saying, "Oh hey, hello world! We are now implementing a policy review of our employee coffee service! Aren't you all amazed and astounded by how much we care?!"

Re:Good PR I suppose

[drunk_punk]

Agreed. Stock prices would dip and shareholders would sue. This is nothing more than bullshit posturing. I'd even be willing to bet that whoever issued this statement has already been given walking papers. Just for the simple fact that the statement is implying due diligence and QC has not been done.

Theatre

Get your popcorn and peanuts and sit down for some theatre.

Synology have already audited their code

https://wrgms.com/synologys-secret-telnet-password/

And can confirm they can protect your data just in case. You never know.

own worst enemy cheerleading for deep deception

as well as genocidal bigotry.... phewww

So what

[NotInHere]

Now they waste a lot of money for auditing, and if they really find something, I guess NSA will send them a gag order. Then cisco knows that they sell spyware, but what has changed for the customer? Nothing. Cisco will perhaps raise prices or deliver a less quality product because they wasted all that money with the audits. Well perhaps at least they will detect chinese backdoors if there are any. But my guess is that if china has placed backdoors, they place them in the silicon, because that's hard to detect or remove.

Re:So what

So don't buy shit from ZTE.

Re:So what

[thegarbz]

and if they really find something, I guess NSA will send them a gag order.

No need. They are only auditing for unauthorised code.

crusaders lament

our skirts are clean so far as religious etc... promotion/demotion is concerned?

Re:Last night

Can confirm, your wife is really easy to penetrate.

Thank goodness...

[krashnburn200]

All our back doors are working fine!

Re:Thank goodness...

I admit my first thought was that they wanted to ensure that only the accredited back doors were in place, properly patched and up to date.

Re:Thank goodness...

"In case of the next Snowden, we need to be able to change the secret root access password."

Re:Last night

I know, right? I found three security holes!

Re:Last night

Does she have a "no backdoor" policy as well?

There, fixed that

Cisco Systems Will Be Auditing Their Code For _Unexpected_ Backdoors

Why we need access to the *complete* set of code

As one of the developers behind similar devices I can say we need access to the complete set of code and we don't have it. Even if Cisco does an audit they won't be able to ensure the complete set of code isn't back-doored. I work for a company that designs and manufactures routers, switches, and similar gear. There are at least a few bits which we don't have the complete sources for. For example all the devices with 802.11ac chips in them. If any one of these peices contain a backdoor we wouldn't know it. It is a major major security issue. Any number of parties besides the NSA might be backdooring *every* device and because there are nonly a very small handful of companies with the code for these pieces it is highly likely that all of our systems are backdoored. Desktops, laptops, tablets, and most routers. There are probably only a few exceptions to this where the complete set of sources are available. I'd suggest checking out www.librecmc.org for consumer routers as it's the only embedded distribution I can confirm is back-door free for those devices which are supported.

But will they analyze the C compiler?

[Nutria]

And will it make a difference?

Re:But will they analyze the C compiler?

[thegarbz]

Oh please. There's no reason to believe that anyone in their right mind would go to the effort of executing this attack when quite frankly it is demonstrably possible to infiltrate organisations, people and agencies using far easier means.

If CISCO software has backdoors it is probably hiding in plain sight with a procedure name like NSA_backdoor();
Or maybe it was a bit hidden and called debug_testinterface(); //don't forget comment me out.
Or at the very least if someone has made an effort to hide it it will be with some "bug" like a carefully placed buffer overflow.

Why would anyone go to the effort of compromising a compiler?

Re:But will they analyze the C compiler?

[Nutria]

Or maybe it was a bit hidden and called debug_testinterface(); //don't forget comment me out.

That's exactly how the Juniper backdoor was compromised. The argument to the strcmp call is ..., which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code.

Why would anyone go to the effort of compromising a compiler?

The NSA doesn't do HUMINT. Backdooring the C compiler is exactly the kind of thing they'ed do when these other channels of operation are closed.

Re:But will they analyze the C compiler?

https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html

Stop posting this old geezers B.S. It's not true and easily detectable.

Re:But will they analyze the C compiler?

I disagree. If we have backdoored compilers, the effects across the tech industry will be ludicrous. Also, such an attack is a great deal more detectable than other things- in theory, anyone could find it by walking it over to a non-compromised hex editor, which can, if absolutely needed, be built by hand.

If you're worried about that sort of thing, you're looking in the wrong place. The places where a ton of code can be hidden indefinitely that I can think of include: hard drive controller, hard drive internal, that fucked up second chip that can update your opcodes on all Intel chips, the AMD version of that shit, and USB code anywhere, at any point in the machine.

Re:But will they analyze the C compiler?

[gweihir]

Old news and outdated. The compiler backdoors can now be prevented: http://www.dwheeler.com/trusti...

Re:But will they analyze the C compiler?

[Nutria]

The compiler backdoors can now be prevented

Great. But is that technique actually implemented in the compiler(s) that Cisco uses?

Re:But will they analyze the C compiler?

[gweihir]

Very, very unlikely. I am just pointing out that they could be secure against that threat if they chose so. Of course that costs money, hence they will not. In real-world capitalism, companies will produce the shoddiest quality they can get away with.

Re:But will they analyze the C compiler?

[Nutria]

In real-world everywhere, companies will produce the shoddiest quality they can get away with.

Do you really think that communist Russia was or workers' paradise Cuba is that thorough with all their work?

Re:But will they analyze the C compiler?

[gweihir]

Are you really dumb enough to assume anybody criticizing capitalism wants that version of socialism as alternative? That requires a really, really limited view of the world.

Re:But will they analyze the C compiler?

[Nutria]

that version of socialism

What other kinds of socialism are there? Small, Homogeneous European Socialist Pseudo-utopias don't really scale up that well.

Re:But will they analyze the C compiler?

[thegarbz]

exactly the kind of thing they'ed do when these other channels of operation are closed.

My exact point was that these channels of operations are not closed, not to the NSA, not to some rogue employee, not to some idiot who "forgets to disable debugging code" and as history has shown, not to some internet hackers who do it for the lulz.

Re:But will they analyze the C compiler?

[gweihir]

I rest my case regarding your stupidity.

Hint: There are other models for society. It takes a minumum of actual education to see that though.

This is a joke

If/when an American company is ordered to put a back-door in their software, they are also forbidden from discussing it.

So this effort will only report non-governmental back doors, not NSA/CIA ones.

eg: https://en.wikipedia.org/wiki/National_security_letter

We're auditing our code

[ThatsNotPudding]

Trust Us

Doesn't make sense....

[sentiblue]

I don't get it...

Isn't backdoor supposed to be something you did on purpose? Why would you even have to audit to know if there's a backdoor?

Re:Doesn't make sense....

[gstoddart]

Isn't backdoor supposed to be something you did on purpose?

If there is such a thing, someone did it on purpose.

But it may well not have been Cisco.

Juniper found out it had backdoors they say they didn't put in. If you make a product which holds the keys to a lot of the internet, people are motivated to latch onto that.

Re:Doesn't make sense....

Juniper only said they were 'unauthorized'.

If somebody at Juniper put them in without some sort of 'proper' authorization, that would fit the description.
It might also make a few liability lawyers a wonderful Christmas present.

Still waiting for a more complete story of what actually happened at Juniper.

Re:Why we need access to the *complete* set of cod

[acoustix]

Even if Cisco does an audit they won't be able to ensure the complete set of code isn't back-doored.

While this is true, is that as big of a security risk? (yes, I realize that any security breach is a big deal, but I'm looking at the big picture here) If the chipmaker for the 802.11ac chips has a backdoor in it, then what can they gain access to? Can they control the entire device, or just that subset of the device? They might have access to the encrypted network traffic, but can they do anything with it? Also, wouldn't finding the dump of the data out of the network, or into the network be relatively easy to spot?

Since I'm a sysadmin and not a hardware designer I'll wait for some answers here. Should be a good discussion.

That's it?

[Spinlock_1977]

That's all they're looking for?

Re:Why we need access to the *complete* set of cod

[Hizonner]

If you control a network interface, you can generally control the entire system, because those chipsets have DMA access to the internal memory of the rest of the computer. You may have to do some work to figure out how to find and corrupt the OS data structures, but you have access to everything.

If the owner of the system is very lucky, there'll be an IOMMU (without a back door) and the OS will have programmed that IOMMU to do something useful. But you can't rely on either, especially in embedded devices.

Also, the driver for that chip is very unlikely to be hardened against the chip sending back exploits. The driver will distrust the network data (and won't process them very much anyhow), but it's going to assume that, say, an offset in a chip register is a valid value.

Re:Why we need access to the *complete* set of cod

[BitZtream]

Considering Cisco makes its own ASICs, I'm fairly certain they have the schematics, including its wifi chipsets.

YOU can't audit the entire thing. That doesn't mean ${COMPANY} can't.

Re:Last night

I think you misunderstand the concept of "failed penetration testing".

Re:Why we need access to the *complete* set of cod

No. They don't. At least not any more and not wireless. Way back in the dark ages they may have been making their own ethernet and backplane chips, but when was the last time you heard about their fab plant? Remember the big retooling to get their fab scale down to compete with cheap SoCs or the patent cases against them by broadcom and qualcomm et al? No, none of that? Because they aren't making their own wireless ASICs.

I can assure you, no matter what you think you know. NO ONE has a clean end-to-end picture of WTF is going on under the hood any more.

No *unauthorized* backdoor policy maybe

[DeBattell]

Cisco's code definitely includes back doors for legally authorized interception.

Re:No *unauthorized* backdoor policy maybe

Are you have evidence? Or are you an employee whistle-blower?

Re:No *unauthorized* backdoor policy maybe

I think DeBattell is referring to CALEA https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

Re:No *unauthorized* backdoor policy maybe

Cisco's code definitely includes back doors for legally authorized interception.

It's not a backdoor when it's a feature that's documented. http://www.cisco.com/c/en/us/tech/security-vpn/lawful-intercept/index.html

why havent they been doing this allready

???
or have they?

Auditing standards

[cfalcon]

What will their auditing standards be?

> Back doors should appear to be standard coding errors
> Find some obscure behavior in old and insecure crypto libraries, tie functions to that, use as excuse to not use up to date libraries
> Ensure random numbers use a predictable method in some NSA-known number of dimensions
> Use some Chinese words to make it look like we're the victims when the backdoor is discovered
> Implement hardware protection using chips that are not subject to less than multi million dollar analysis, claim to protect trade secrets
> Allow remote updates with 3G, or wireless, or just the wild internet- anything that responds to a private key. Because private keys are never stolen ever.
> Don't have any method of verifying the firmware to a particular image or version
> Avoid a write protect switch to firmware- firmware should be anything but firm!
> Under no circumstances use open source code, or ensure a proprietary part holds the real keys

With standards such as these, Cisco hopes to bring you better quality backdoors in the future!

2 options, orly?

What about: paloalto, fortinet, fireeye, pfsense, cyberroam, etc?

Re:Why we need access to the *complete* set of cod

[hankwang]

"There are at least a few bits which we don't have the complete sources for. For example all the devices with 802.11ac chips in them."

But you know how those bits interact with the rest of the router. What kind of permissions does the radio firmware have that could be used for nefarious purposes? Serious question. Would nefarious firmware be able to leak AES keys or wifi passwords? Or read/write memory in the router OS?

manufacturer has a "no backdoor" policy.

So does my Girlfriend :(

Wow

This is all High Theatre,
Good show old boy!

Re:Wow

[cfalcon]

> This is all High Theatre,
> Good show old boy!

I don't think so. But I will say that such cynicism and paranoia was unthinkable five years ago, possible as a cautionary issue a year ago, and now seems unlikely but by no means crazy talk. Lame and scary.

Re:Why we need access to the *complete* set of cod

[AHuxley]

Yes AC thats the only way to escape the NSA and its traditional, generational relationships deep into the US brands.
Nations have to buy their own domestic products, code on them and then work out cpu power, cooling, power needs and their own software.
Importing US installed trapdoors and backdoors over every generation of hardware and software is not going to help with any nations competitiveness or security.
5 eye + nations get a look into any network by default as shipped is not the best way to do computing.

Re:Why we need access to the *complete* set of cod

Good luck fuckers! I use an abacus!

Re:Why we need access to the *complete* set of cod

[gweihir]

Excellent point. The only way besides full source and HW spec access I see, is treating things like the 802.11ac components as "hostile, likely compromised" in the system design. That makes things more expensive, of course.

Re: Why we need access to the *complete* set of co

If you're a big enough partner or pay enough for the SDK, you get the source. Sounds like you're not a big enough fish.

Re: Why we need access to the *complete* set of co

Government does not even remotely care. I've worked for a 3 letter agency for decades as an engineer. I am tempest certified and work with secure workstations, encryption devices and I can tell you that they ALL have foreign manufactured parts. We used to have Compaq workstations that came from China ffs. I'm sure nothing was compromised in any of those of course... especially as they were only spot checked for operation and emissions... Nothing else.

Re:Why we need access to the *complete* set of cod

[acoustix]

Thank you for your insight. It is appreciated.