Cisco Products Have Backdoors 555
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
Radio cards? (Score:2, Interesting)
Re:Well, that depends. (Score:2, Interesting)
Firmware? (Score:1, Interesting)
There is no workaround. (Score:5, Interesting)
(According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)
I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!
Simon
It needs to be there (Score:5, Interesting)
Back to the good old days for hackers (Score:3, Interesting)
Re:It needs to be there (Score:2, Interesting)
Re:Cisco's Life Lesson - Maybe not. (Score:3, Interesting)
Nobody but a few key developers have a clue that the fix is not actually a fix.
It's just a theory, and if you look at my post, I fully admit - it's paranoid.
Re:Cisco's Life Lesson - Maybe not. (Score:5, Interesting)
I.e. in order to get in through the backdoor, you need to hold down a button for 10 seconds, and the login will be enabled for the next 2 minutes (which should be enough time to change the admin pw if it is forgotten). This would require that the site be physically secure; however would prevent those from remotely accessing the backdoor (unless someone is actually there to hit this 'switch).
Re:Cisco's Life Lesson - Maybe not. (Score:3, Interesting)
I'm very sorry, but if I found out that someone had backdoor'd one of my systems I;d like to know why, and "I thought you were too stupid to ensure your own data" is not an excuse I'd be willing take!
Recovering passwords (Score:3, Interesting)
I was called by a apartment complex that offered broadband to tenants. Apparently, one of the kids (mostly college students) had taken a networking class or something, and telneted in to the switches, and screwed a bunch of stuff up.
Of course, he changed the password to who knows what, so we had to call Nortel up and read them the serial number from each switch, and they gave us a backdoor password. I belive it was generated by a program they had. We had to verify proof of purchase and everything with the company, but who couldn't forge a Invoice from CDW or Insight?
Re:Well, that depends. (Score:5, Interesting)
That's a silly comment. Up until a few hours ago you would have thought Cisco was pretty good. Now they have done a really stupid thing and have been caught red-handed.
The question we should be asking is what else have they done that their customers would object to if they knew about it?
Call me paranoid, but this is exactly the sort of behaviour that I expect from software/hardware manufacturers. Cisco just happened to get caught doing it.
No it doesn't (Score:5, Interesting)
Cisco IOS routers don't have to have a "master password" backdoor; they have a well-defined process for password recovery (typically you connect to the console port, interrupt the boot at the firmware level, and change a register - then you are in with no password and can reset it).
Another example: Livingston PortMasters also don't have a "master password" backdoor. You hook up to the console port, flip a dip switch and use a special login. That issues a challenge string, which you then send to Livingston (or now portmasters.com). You get a respose string and use it to log in, and then you change the password.
The common assumption is that full physical access implies ownership; that is a reasonable assumption (since if someone can get at it, they can take it).
Re:Does Cisco know wha'ts going on? (Score:3, Interesting)
This reminds me... (Score:3, Interesting)
Cisco has been a major player for a long time, so we have a de-facto trust relationship with them, but we need to be able to verify their account guarding. All they need to do is open the firmware up and let the million eyes peer through it. Any vulnerability detected and not reported by one will surely be caught by another, and assuming he's not trustworthy either there are still more eyes. Quis custodiet ipsos custodes. The only problem is if the flaw doesn't exist in only flashable firmware (i.e.: in hardware someplace that can't be modified at all)--then that would be an issue. I think we can trust the Cisco hardware, it's the flashed system that needs to be checked.
So, Cisco, how about opening that up? Come on, be a pal....
Re:Cisco's Life Lesson - Maybe not. (Score:4, Interesting)
Upgrading firmware or substantive software is always a process of weighing costs v benefits. The costant cost of upgrade is that something breaks and renders years of investment at risk. Bodies in motion tend to stay in motion is almost as true for computers as physical bodies with mass.
So while "just as installable" may be an accurate way of saying a password change is just as installable as a username/password removale, what you are not addressing is the alert that is often needed to light the fire of sysadmins to apply that fix. In this case, anything less than disclosure would have been seen as disengenious as many would not have been given accurate enough information to perform the cost benefit analysis of upgrading.
And a post on
I'm not seeing where you are comeing from or where you are going with this. But it seems important, you may wish to elucidate.
Cisco is definitely doing questionable things (Score:1, Interesting)
Apparently his company was approached by Cisco, on the feasability of using their GPS chips in "all of our [Cisco's] upcoming products." From the discussions, it appeared that Cisco wanted to put GPS capabilities in their routers and such, but they were being hush-hush about it, implying that this wasn't to be a publicly known feature.
And before you say "You can't use GPS in a data center", I should note that at least one company [globallocate.com] in that field has a chipset which is known to work well inside of buildings. And ethernet cables make huge antennas.
Negligence (Score:4, Interesting)
A Cisco exec should do hard time for this.
"Can we trust closed-source vendors?" NO! (Score:4, Interesting)
From the Slashdot story: "Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
This should be shortened to: "Can we trust closed-source vendors?"
History has shown that we cannot.
Take Microsoft for example. LUGOD maintains a list of stories about Microsoft abusiveness: Reasons to Avoid Microsoft [lugod.org]. I counted more than 200 in 2002, and things have gotten worse since then.
(This seems to be one of the few times that Open Source advocates have invented an interesting name: Linux User GOD. Sounds like a new religion.)
Part of the problem seems to be that, eventually, closed-source vendors begin to be controlled by managers who have no technical experience. Such managers can help the company make more money only by abusing the customer, because they don't know enough to contribute to technical improvements.
Why has Google risen to prominence so quickly? Partly because they know what they are doing technically. But largely because they have a policy of "do no harm". It's a simple policy, but most managers are not able to come to the conclusion they should follow it.
Most managers seem to have received their training by mimicing the abusive, ignorant PHB in Dilbert cartoons. Think what a terrible world we live in that Dilbert is considered funny!
I know most Open Source developers are uncomfortable with this description, but they approach their work as an act of love. Whatever the reason, history has shown that they are far more trustworthy.
Re:Well, that depends. (Score:2, Interesting)
So do you even know what a WLSE is? (Score:1, Interesting)
Re:Cisco's Life Lesson - Maybe not. (Score:5, Interesting)
I do not.
IMO, you definitely do not understand how Cisco marketing functions. It took me 5+ years of dealing with it to start understanding it. Basically, every single IOS release they shipped is bug ridden beyond any reasonable limits. Any other company shipping such crap would have failed long ago. They did not. The reason is that they have created cottage industries of "certified specialists" all over the world which will make sure that their customers and employers will never buy anything but Cisco and never hire an unfettered one. Just have a look how many banks run "Cisco Only Networks". The reason for this is simple. They are employed because there is always something wrong and there is always something to fix. Cisco knows this and it will never ever kill what makes 90% of its enterprise sales.
This is also the reason why even Cisco supplied GUI or centralised management solutions never manage some features. This is also the reason why there is no way in hell for you to get anywhere trying to manage Cisco gear using industry standard protocols. Ever tried to do some alteration of IP parameteres on Cisco via SNMP? I am not even talking about rocket science like the diff-serv MIB or the BGP MIB. Ever tried to hook it a proper element manager without few Ms of glue code that does direct CLI? Dream on...
Re:you ungrateful motherfuckers (Score:3, Interesting)
No, Cisco is bad because they stuck a backdoor into their product that potentially fucked over a bunch of their customers.
I bet half your jobs depend on cisco.
And what kind of half-assed argument is that? Just because people use their products doesn't mean that their jobs depend on Cisco. Cisco can be ripped out and replaced just like most vendors. Get some Foundry or Nortel equipment.
Oh yeah, and fuck you too.
Re:Cisco's Life Lesson - Maybe not. (Score:3, Interesting)
Exactly. I'd tried "we don't have a backup of the router config" pretty much the same as "we don't have a backup of the webserver" when deciding how badly I'd have to lart the respective administrator. Even little home routers often have the ability to transfer their configs, even if just via their web interface.
Backdoors are here to stay. (Score:3, Interesting)
Well, we certainly can't trust Cisco anymore. The reason is because trust is built up by having the ability to screw up and then not doing so. Cisco has clearly violated the trust of anybody who wanted a zero-backdoor product, and I submit that this breach is one that cannot be recovered from.
However, I certainly understand why Cisco insists on there being such a hard-coded full-control backdoor. If you ever lose possession of the root password, you are screwed and you can turn a big-dollarsign router into a paperweight. It makes sense that Cisco should be able to swap your locked-up router for a like part in its default settings, and then be able to recover most of its value as an "open box" "remanufactured" item since there was nothing wrong with it other than an unknown password that since has been reset.
Really, I'm not mad at Cisco for having backdoors as much as the fact that they refused to admit that there were secret backdoors.
Re:Well, that depends. (Score:4, Interesting)
hash = getHash(password)
if (hash) {
return (*hash == *storedhash);
} else {
logAuthError("Hash could not be found");
return FALSE;
}
Looks correct, but if I modify getHash to return NULL when the password is a certain string, and logAuthError is actually buried in a separate header, it doesn't actually log an error, it returns TRUE.