Cisco Systems Will Be Auditing Their Code For Backdoors

An anonymous reader writes: In the wake of the discovery of two backdoors on Juniper's NetScreen firewall devices, Cisco Systems has announced that they will be reviewing the software running on their devices, just in case. Anthony Grieco, a Senior Director of the Security and Trust Organization at Cisco, made sure to first point out that the popular networking equipment manufacturer has a "no backdoor" policy. According to Grieco, Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk. Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience. The reviewers will be looking for backdoors, hardcoded or undocumented account credentials, covert communication channels and undocumented traffic diversions.

Why we need access to the *complete* set of code

As one of the developers behind similar devices I can say we need access to the complete set of code and we don't have it. Even if Cisco does an audit they won't be able to ensure the complete set of code isn't back-doored. I work for a company that designs and manufactures routers, switches, and similar gear. There are at least a few bits which we don't have the complete sources for. For example all the devices with 802.11ac chips in them. If any one of these peices contain a backdoor we wouldn't know it. It is a major major security issue. Any number of parties besides the NSA might be backdooring *every* device and because there are nonly a very small handful of companies with the code for these pieces it is highly likely that all of our systems are backdoored. Desktops, laptops, tablets, and most routers. There are probably only a few exceptions to this where the complete set of sources are available. I'd suggest checking out www.librecmc.org for consumer routers as it's the only embedded distribution I can confirm is back-door free for those devices which are supported.