Cisco's Backdoor For Hackers

Andy Greenberg, 02.03.10, 01:45 PM EST
The methods networking companies use to let the Feds watch suspects also expose the rest of us.

ARLINGTON, Va. -- Activists have long grumbled about the privacy implications of the legal "backdoors" that networking companies like Cisco build into their equipment--functions that let law enforcement quietly track the Internet activities of criminal suspects. Now an IBM researcher has revealed a more serious problem with those backdoors: They don't have particularly strong locks, and consumers are at risk.

In a presentation at the Black Hat security conference Wednesday, IBM ( IBM - news - people ) Internet Security Systems researcher Tom Cross unveiled research on how easily the "lawful intercept" function in Cisco's ( CSCO - news - people ) IOS operating system can be exploited by cybercriminals or cyberspies to pull data out of the routers belonging to an Internet service provider (ISP) and watch innocent victims' online behavior.

"We need to balance privacy interests with the state's interest in monitoring suspected criminals," says Cross. "There's long been a political debate about where that balance should be. But there are also these serious underlying technical problems."

Cross revealed a collection of security weaknesses in Cisco's architecture that he says add up to a lawful intercept system that could be easily hijacked by a skilled cybercriminal. When hackers try to gain access to a Cisco router, the system doesn't block them after failed password-guessing attempts and it doesn't alert an administrator. Many Cisco routers are still vulnerable, he said, to a bug that was publicized in June 2008, since some administrators haven't implemented the patch that Cisco later released. And once data has been collected using the lawful intercept, it can be sent to any destination, not merely to an authorized user.

Each isn't a big deal, but when you add them all together the situation is fairly bleak," Cross told the Black Hat audience.

In an interview with Forbes following his talk, Cross expressed the most concern over an ISP's inability to audit whether someone had used the function. That invisibility, he said, was intended to hide the technique from ISP employees who might detect the intercept and alert the suspect under surveillance.

But the result, Cross says, is that any credentialed employee can implement the intercept to watch users, and the ISP has no method of tracking those privacy violations. "An insider who knows the password can use it without an audit trail and send the data to anywhere on the Internet," Cross says.

<SNIP>http://www.forbes.com/2010/02/03/hackers-networking-equipment-technology-security-cisco.html?feed=rss_technology_security