Feeds

Settlement reached in Cisco flaw dispute

'Cisco has a gazillion dollars and he is an unemployed guy'

  • alert
  • submit to reddit

Boost IT visibility and business value

LAS VEGAS A researcher who showed off a way to remotely compromise Cisco routers has to turn over all materials and agree not to further disseminate information on the flaws or the technique he used to run code on the popular network hardware.

The settlement, finalized Thursday afternoon, brought to a close a controversy that exploded on Wednesday morning when researcher Michael Lynn tendered his resignation to network protection firm Internet Security Systems in order to give a presentation on Cisco security at the Black Hat Security Conference.

"I think I did the right thing, but it was scary," he told reporters in Las Vegas at a Thursday afternoon press conference. "There was a potential for a serious problem coming in the future. I didn't think that the nation's interests were served by waiting a year, when there would be a possibility of a router worm."

Lynn and his attorney agreed to a permanent injunction that prevents him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which follows Black Hat. In addition, Lynn must hand over the names of any websites or people to whom he gave or sold the information. The permanent injunction does not prevent Lynn from doing further research on Cisco products, provided it is done legally.

Cisco disputed that Lynn's actions were aimed at helping protect the Internet.

"Cisco’s actions (regarding) Mr. Lynn and Black Hat were not based on the fact that a flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure," the networking giant said in a statement on Thursday. "It is Cisco’s opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet."

On Wednesday, Lynn showed off a way to compromise Cisco Internet Operating System (IOS), the core software for the company's popular routing and gateway hardware. Using such techniques, which Lynn and other security experts believe the Chinese are likely already exploiting, an attacker could run programs on Cisco routers.

While some security experts at Black Hat said that they never doubted running code on the routers was possible, the prevailing wisdom was that Cisco network hardware had enough safeguards in place that external code could not be run on the systems.

"No one really thought this (running code on Cisco routers) was possible, until Wednesday, so no one really looked to defend against it," Lynn said. "A router is like any computer in that, when it has a vulnerability, you can hack it."

The presentation followed three weeks of negotiations between Cisco, Internet Security Systems and the Black Hat Conference management to resolve the situation. Under pressure from Cisco, ISS had withdrawn the presentation on Monday, and the Black Hat Conference management allowed the network giant's employees to rip out the 10-page presentation from the conference proceedings.

The settlement is reasonable, said Jennifer Granick, executive director for Stanford University's Center for Internet and Society and the attorney representing Lynn in the negotiations. Because it does not prevent Lynn from further research into Cisco's hardware and software, provided access to both is done legally, the researcher can continue to analyze Cisco's security measures, she said.

Moreover, Lynn would have been at a disadvantage if he tried to fight the networking giant, she said.

"Cisco has a gazillion dollars and he is an unemployed guy," Granick said. "It is hard to take on someone with deep pockets."

Other researchers believed that the settlement prematurely closed the chapter on a case that could have highlighted the legitimate concerns of independent security researchers.

"The whole attempt at security through obscurity is amazing, especially when a big company like Cisco tries to keep a researcher quiet," said Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security.

Cisco will likely need to repair relations with the security research community, if they want cooperation, rather than contention, in the future, Maiffret said.

"People are definitely going to want to find more vulnerabilities," because they know they can gain control of a router, he said. "And now people aren't going to care to report things to Cisco."

The incident also foreshadows what future legal spats might look like, said Stanford's Granick. Cisco had argued during talks that reverse engineering is against the end-user license agreement (EULA). Such "no reverse engineering" clauses are a common provision in such licenses, and while the average user does not need to care about that, the provision could stifle legitimate security research if courts agree to enforce it, she said.

"You have EULAs that tell people they can't reverse engineer and companies who are ready to levy the most severe penalties for anyone who breaks those agreements," Granick said. "It is time to begin to worry about the rights that companies are trying to take away from us." ®

Related stories

Cisco, ISS file suit against rogue researcher
Cisco patches security software
Cisco source code theft part of 'mega-hack'
Unholy trio pose DDoS risk for Cisco kit
Cisco patches VoIP vuln

The essential guide to IT transformation

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft: Azure isn't ready for biz-critical apps … yet
Microsoft will move its own IT to the cloud to avoid $200m server bill
Oracle reveals 32-core, 10 BEEELLION-transistor SPARC M7
New chip scales to 1024 cores, 8192 threads 64 TB RAM, at speeds over 3.6GHz
Docker kicks KVM's butt in IBM tests
Big Blue finds containers are speedy, but may not have much room to improve
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
Gartner's Special Report: Should you believe the hype?
Enough hot air to carry a balloon to the Moon
Flash could be CHEAPER than SAS DISK? Come off it, NetApp
Stats analysis reckons we'll hit that point in just three years
Dell The Man shrieks: 'We've got a Bitcoin order, we've got a Bitcoin order'
$50k of PowerEdge servers? That'll be 85 coins in digi-dosh
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.