Backdoors in Cisco Routers

We don't know if this is error or deliberate action, but five backdoors have been discovered already this year.

Posted on August 1, 2018 at 6:22 AM • 29 Comments

Comments

Gordon RossAugust 1, 2018 7:17 AM

I think the title is misleading. Sure, Cisco have announced five backdoors in the past few months, but only one was in an actual switch/router.

MattAugust 1, 2018 7:50 AM

True, only 1 of the 5 was a backdoor for a router, but the others were for enterprise-level control and automation platforms. Discover the backdoor in an SDN controller or the branch office file sharing appliance (the WAAS product mentioned) and you own the whole network or all of the juicy corporate secrets being moved around.

ThothAugust 1, 2018 7:59 AM

Not surprisingly there are backdoors (deliberate or not). More backdoors would probably surface over time.

For personal use, you are better off using a single-board computer to be used as a low assurance router by running your own instance of hardened and stripped down Linux or a copy of OpenBSD to route traffic.

For the likes of extremely rich and powerful corporations, if you have the budget like Google, you would be better off making your own chips or at least your own network devices.

For those caught in-between, there is very little you can do ......

Clive RobinsonAugust 1, 2018 8:15 AM

@ Bruce,

We don't know if this is error or deliberate action, but five backdoors have been discovered already this year.

Only five?

Somebody is not trying hard enough send them back to the sub-sub-sub basment at Fort Meade for hands on "Incentive realinement training" with that 5USD wrench ;-)

More seriously though I should be shocked but I'm not, as an organisation they are not realy different size wise to Microsoft, Adobe, or Oracle, all of whom appear to have way way more problems.

JOAugust 1, 2018 9:04 AM

Obviously you can't trust the Internet when it comes to MITM attacks, but can you even trust your Intranet? Should/can communication between off the shelf OS machines use encrypted channels to communicate when sharing files etc so you don't even *have* to trust your network infrastructure to not be compromised?

JG4August 1, 2018 9:07 AM


@Thoth

It would be helpful if the streams of data to and from your single-board computer were filtered to limit the potential for triggering undocumented features of the chipsets. The same general concept applies to bringing streams of text to and from an internet-connected portal for sending and receiving secure email. The optical data diodes that have been discussed address at least part of the problem space.

echoAugust 1, 2018 10:12 AM

Oh, this all explains why the US federal government is going all security concious over Russian and Chinese equipment. It's just marketing to deflect from home grown Swiss cheese. At least UK stuff is secure. Try hacking nothing because we don't make anything anymore hah hah whoops.

borlowAugust 1, 2018 10:54 AM

can you even trust your Intranet?

Could you ever? Way way back in the 1980s we had thinnet, which as a shared medium was obviously insecure. Then there was early 10baseT with hubs, again a shared medium despite separate wires. Then dumb switches, where you'd have to use (but easily could) ARP spoofing to misdirect traffic to you.

With smart switches you can, if you're meticulous, limit MAC addresses to certain physical parts and otherwise mitigate spoofing problems. I wouldn't count on that. Encrypt everything and use proper authentication (no clicking through self-signed certs).

borlowAugust 1, 2018 11:04 AM

A default account named "cisco" isn't going to show up except as a deliberate action. The only part that may be an "error" is that they shipped with it. It says something about quality control that they didn't find this obvious login for 5 years after Snowden's revelations. (Also: kind of shitty that Cisco's making people agree to a software license to close a backdoor.)

I hope we'll see some further analysis or reverse-engineering of this. Could it be a "trusting trust" type of attack on /bin/login (or similar)? Hard to believe they'd use an obvious name like "cisco", but then if "cisco" were listed in /etc/passwd wouldn't someone have noticed earlier?

PeaceHeadAugust 1, 2018 11:15 AM

@echo: well said.

P.S.-I used to watch the TV show "Dollhouse".
If that's the inspiration for your nickname, you have my sincere condolences and empathy.
We are a few of many.

In many ways, we aren't up against a group, we are up against a set of ALGORITHMS and a conveyor belt of abuses happening and pending to happen again and again and again paid for by such abuses in the past again and again and again. Money is part of the machinery. I refuse to be enslaved by either.

If you don't know what I'm talking about or prefer not to, that's alright.
But reading or talking about the topic does not make people suicidal; that's just part of the folklore gossip designed to shut people up.

And for others who think I might be stirring the pot, you have no idea how much I have NOT and will not.

Peace be with you Numbers Stations.
I hope that someday you will be free from subjugation as well.

PhaeteAugust 1, 2018 11:19 AM

I'm with Hanlon on this one.
Remember, we are talking about a company that spent in 2017 about 9 bil on marketing but only 6 bil on research and development, so you know where it's focus is.
Cisco just had a lot of scrutiny since the NSA tools release.

echoAugust 1, 2018 11:30 AM

@Peacehead

I can't remember the inspiration. I think I wanted a name which wasn't too controversial and it bubbled up from a brain full of junk.

I think I've got past it now but I was really unhappy when a Syfy producer cancelled "Terminator: The Sarah Connor Chronicles" which was a really really really well produced show in favour of Dollhouse which was a bit something and nothing and got canned after its next series anyway.

Somebody SomethingAugust 1, 2018 11:43 AM

Does it matter whether it is incompetence or malice on the part of the company? One cannot trust their products and that is yet one more piece on the pile of evidence that one can't trust the internet.

RobAugust 1, 2018 12:08 PM

@JO:

Should/can communication between off the shelf OS machines use encrypted channels to communicate when sharing files

Be sure to use unbackdoored encryption.

AlejandroAugust 1, 2018 12:39 PM

I read the article. Many back doors and no mention of fixes or even Cisco is working on it/them.

Basically, it reads like Cisco is a government operation. Or, merely fundamentally incompetent.

It's a good thing the vast majority of people don't care about security, privacy or run amok 24/7 electronic surveillance.

File under: 'They do it because they can'.

VRKAugust 1, 2018 1:29 PM

As Dan Geer reminds us, (The Future of Cybersecurity @ geer.tinho.net/pubs),

"... selling of exploit code will continue to have government(s) as a primary clientele ..."

Which, I might suggest, is a huge and incessant motivator for putting it there, and that marketers tend to be insatiable back-stabbing liars.

Folks, please. Security? Really?
Get real: Befriend small farmers.

65535August 1, 2018 4:16 PM

First problem is no traces in the logs:

“…in 2004, Cisco wrote an IETF proposal for a “lawful intercept” backdoor for routers, which law enforcement could use to remotely log in to routers. Years later, in 2010, an IBM security researcher showed how this protocol could be abused by malicious attackers to take over Cisco IOS routers, which are typically sold to ISPs and other large enterprises…Attackers could exploit these backdoors and not leave any audit trail. That’s how the lawful intercept protocol was designed so that ISP employees can’t tell when a law enforcement agent logs to the ISP’s routers (even though law enforcement is supposed to gain this access with a court order or other legal access request).-Tomsharware

https://www.tomshardware.com/news/cisco-backdoor-hardcoded-accounts-software,37480.html

If the CALEA and “Lawful intercept” get by the logs it’s real a problem. Anybody could slip in and then out with out it showing up in the logs. That is wreck waiting to happen or is happening now.

See olds post by 65535 and Clive Robinson

“Doesn’t a lawful intercept have to have a license or subscription to use such monitoring of switches such a Cisco’s and other’s switches? The last I checked one could buy a lawful intercept license or subscription for about 750 USD on certain black market sites. Does a lawful intercept license or subscription ensure the encryption is broken? Or, do lawful intercepts just record the encrypted packets and the metadata [to-from and Call Data Records]?”-65535

https://www.schneier.com/blog/archives/2017/06/security_flaws_1.html#c6754434

and

https://www.schneier.com/blog/archives/2017/06/security_flaws_1.html#c6754442

[Cisco tries to avoid suppy chain NSA interception]

“Cisco Shipping Equipment to Fake Addresses to Foil NSA Interception” by Bruce S.

https://www.schneier.com/blog/archives/2015/03/cisco_shipping_.html

“@ Bruce, I don't think we have even begun to understand the long-term damage the NSA has done to the US tech industry.”

“Whilst that may to a certain extent be true, we definitely know that the IC and some LEA's don't care one iota about it.”-Clive R

https://www.schneier.com/blog/archives/2015/03/cisco_shipping_.html#c6691829

@ borlow

"A default account named "cisco" isn't going to show up except as a deliberate action… Could it be a "trusting trust" type of attack on /bin/login (or similar)? Hard to believe they'd use an obvious name like "cisco", but then if "cisco" were listed in /etc/passwd wouldn't someone have noticed earlier?"

That is a good point. Maybe it was noticed by the NSA or some hacker.

@ Matt

“True, only 1 of the 5 was a backdoor for a router, but the others were for enterprise-level control and automation platforms. Discover the backdoor in an SDN controller or the branch office file sharing appliance (the WAAS product mentioned) and you own the whole network or all of the juicy corporate secrets..”

I agree. The devices were sold a “enterprice” level and advertized as secure devices yet the whole enterprise is compromised. Think of a large factory or a Walmart using wireless barcode scanners thoughout the store or headquarters and the like. It is a problem.

“A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root-level access…”-Cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd

“…vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot. The vulnerability is due to an undocumented user account with privilege level 15 that has a default username and password. An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with privilege level 15 access… This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software Release 16.x. This vulnerability does not affect Cisco IOS XE Software releases prior to Release 16.x.”-Cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc

The second problem is hardcoded passwords or undocument passwords or functions or switches. If the customer gets a device is hardcoded passwords that he doesn’t know she/he is screwed. The customer goes on blissfully using the product while some hacker who knows the undocumented password breaks in and pwn's the device and the customer.

Cisco is not the only offender the Iot is full of them. I all hard coded passwords be conspicuously give to the customer by law –no cheating.

@ Clive Robinson

“Somebody is not trying hard enough send them back to the sub-sub-sub basment at Fort Meade…” –ha ha

“…seriously though I should be shocked but I'm not, as an organisation they are not realy different size wise to Microsoft, Adobe, or Oracle, all of whom appear to have way way more problems.”

Yes, I know American made software is starting to look like junk or junk that has been scammed. It is sad.

AlejandroAugust 1, 2018 4:59 PM

@65535

Re:

"[Cisco tries to avoid suppy chain NSA interception]

“Cisco Shipping Equipment to Fake Addresses to Foil NSA Interception” by Bruce S."


In that same post:

"wiredog • March 20, 2015 7:05 AM

This assumes the equipment isn't compromised at the factory."


------------------

Based on repeated revelations about Cisco stuff, and if I were a person having some responsibility and ethics regarding internet security at some place, I would assume ALL Cisco boxes are thoroughly backdoored up the kazoo, at the factory, along the mail route, remotely at the install location, all of them, 100%. Then act accordingly.

I don't know if there is a solution to the problem actually. Has everything been backdoored on purpose or by incompetence? Would there be another box to place in line to double whammy encrypt all packets, some kind of super-duper detection scheme? I don't know, but sure would look for it.

65535August 2, 2018 12:46 AM

@ Alejandro

“Based on repeated revelations about Cisco stuff, and if I were a person having some responsibility and ethics regarding internet security at some place, I would assume ALL Cisco boxes are thoroughly backdoored up the kazoo, at the factory, along the mail route, remotely at the install location, all of them, 100%. Then act accordingly. I don't know if there is a solution to the problem actually.”

That is a fair stated. When the NSA and Five Eyes control the SS7 or telephone system, the transportion and all mail and couier services the possibly of interdiction and a backdoors is very high.

In the end, other countries will simply not buy Cisco or Five Eye made products for fear of backdoors. It is a race to the bottom and very sad.

@ nw3227

Shades of Microsoft circa 1999?

Yes. The old NASKEY embedded key problem. With windows 10 all your metadata is mostly exposed as poster echo notes.

Thoth has somewhat of a solution:

“For personal use, you are better off using a single-board computer to be used as a low assurance router by running your own instance of hardened and stripped down Linux or a copy of OpenBSD to route traffic. For the likes of extremely rich and powerful corporations, if you have the budget like Google, you would be better off making your own chips or at least your own network devices. For those caught in-between, there is very little you can do...”-Thoth

That is a good method for some. But, most Small to Medium business the Cisco name gets them to buy not matter what. I have a small business client who purchased a Cisco manged swith with Vlan and VPN cababilities. When I use a Cisco rollover cable to get into the box to make changes up pops some "Scary Text" about not using the box overses and "Security" and so on. Then you add the Vlan to the ports and it is of some use because of the ease of eliminating subnets. My customer thought it was the best thing since the invention of the wheel.

But, on of scale of 10-to-one. I would bet it is compromised in some form. I don’t know and it is not mine. But, that is the marketing power of Cisco working on the Small business person. The same goes for Microsoft and the their products [and probably Android and Apple].

Sooner of later people are going get smart about these scammed 5-eye products and quit buying them altogether. It will be a painful day in the stockmarket and a sad day.

Ergo SumAugust 2, 2018 6:46 AM

@borlow...

Hard to believe they'd use an obvious name like "cisco", but then if "cisco" were listed in /etc/passwd wouldn't someone have noticed earlier?

Most of the Cisco routers has a a default UID/PWD of cicsco/cisco or admin/admin. As such, having "cisco" listed in /etc/passwd hardly would raise suspicion.

Well, at least it's not as obvious as Microsoft did, with their "NSAKey" component, back in 1999:

https://archive.nytimes.com/www.nytimes.com/library/tech/99/09/biztech/articles/04soft.html

JohnAugust 2, 2018 9:10 AM

Basically, it reads like Cisco is a government operation. Or, merely fundamentally incompetent.

Any sufficiently advanced incompetence is indistinguishable from malice.

lurkerAugust 2, 2018 5:47 PM

Five already? Golly, Mr. Bond was told three could be considered enemy action...

AlejandroAugust 3, 2018 4:54 AM

From Forbes magazine, Security Systems researcher Tom Cross noted:


"All networking companies are legally required to build lawful intercepts into their equipment."


https://www.forbes.com/2010/02/03/hackers-networking-equipment-technology-security-cisco.html#1c02aadf4fd5


That certainly explains a lot of what I see.

Anyway, turns out it's ALL back-doored and invisible, usually.

And, apparently the corporate/.gov exploits are so deeply flawed they are readily accessible by anyone who might be seriously interested.

When the government and corporations join forces to covertly corrupt basic human and constitutional rights I call it fascist corporatocracy.

In any case, it sure isn't anything resembling democracy.

AlejandroAugust 3, 2018 5:04 AM

From Forbes magazine, Security Systems researcher Tom Cross noted:


"All networking companies are legally required to build lawful intercepts into their equipment."


https://www.forbes.com/2010/02/03/hackers-networking-equipment-technology-security-cisco.html#1c02aadf4fd5


That certainly explains a lot of what I see.

Anyway, turns out it's ALL back doored and invisible, usually.

And, apparently the corporate/.gov exploits are so deeply flawed they are readily accessible by anyone who might be interested.

When the government and corporations join forces to covertly corrupt basic human and constitutional rights I call it fascist corporatocracy.

In any case, it sure isn't anything resembling democracy.

Clive RobinsonAugust 3, 2018 9:34 AM

@ Alejandro,

    "All networking companies are legally required to build lawful intercepts into their equipment."

Supposadly only for US domestic consumption via The Communications Assistance for Law Enforcement Act (CALEA). It was passed into law back in 1994, during the presidency of Bill Clinton[1].

CALEA is also known as the "Digital Telephony Act," for good reason it is a United States wiretapping law for exchange not premise equipment, not a "data slurping" on customer premise law.

That is the purpose was supposadly solely to enable existing analogue Telephone Wiretaping legislation to work on digital exchanges. It was never ment for getting at other data which it is now used for routinely.

But importantly adding such capability to a product made it illegal to sell in to some countries. So it should --in theory-- have a way to be disabled in products aimed for those markets. However I doubt that CISCO bothered puting such a mechanism.

Because, in typical US Gov style they would assume either the secret would never get out (funny they all do which is something "golden key" and similar promotors should all learn). Or that "they could just ride rough shod" over another sovereign nations legislation.

But we know the US also has "secret legislation" of various types, so it may be something PATRIOTish or FISAish in nature.

Either way the "crapware" is there, the question now is how to remove it.

Failing that how to mitigate it. It should now be no secret that no matter how LEOs or their pet legislators may wish, the law has limits on what it can achive. That is there are ways to both securely and anonymously communicate on line if you and the other party have sufficient OpSec skills.

[1] Some say on balance Bill Clinton was way more favourable to the surveillance state than many give him credit for. Because although he did change a few things such as dropping Key Escrow it was way to little way to late, when it was abundantly clear the policy was going to fail anyway due to a number of "technical features" two of which would have enabled the NSA and friends to avoid having their traffic read, by "Lawful Authority".

Mark BaugherAugust 15, 2018 10:09 AM

Cisco had a written policy forbidding back doors in equipment. I know because I read that document year ago while an employee. They also supposedly had a process to ensure that the policy was followed. I personally had no involvement in that.

What's keeping Cisco, Huawei, Ericsson or any other vendor from doing such things, either maliciously or by accident? Years ago, I thought one service provider (BT?) announced that they were going to set up a lab to look for backdoors in networking equipment (or at least certain classes of equipment from major vendors). IIRC, this was one response to the FUD surrounding Huawei's emergence in the market at the time.

That's not something that one, private organization can take on, but it's needed.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.