Feeds

Settlement reached in Cisco flaw dispute

'Cisco has a gazillion dollars and he is an unemployed guy'

  • alert
  • submit to reddit

Maximizing your infrastructure through virtualization

LAS VEGAS A researcher who showed off a way to remotely compromise Cisco routers has to turn over all materials and agree not to further disseminate information on the flaws or the technique he used to run code on the popular network hardware.

The settlement, finalized Thursday afternoon, brought to a close a controversy that exploded on Wednesday morning when researcher Michael Lynn tendered his resignation to network protection firm Internet Security Systems in order to give a presentation on Cisco security at the Black Hat Security Conference.

"I think I did the right thing, but it was scary," he told reporters in Las Vegas at a Thursday afternoon press conference. "There was a potential for a serious problem coming in the future. I didn't think that the nation's interests were served by waiting a year, when there would be a possibility of a router worm."

Lynn and his attorney agreed to a permanent injunction that prevents him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which follows Black Hat. In addition, Lynn must hand over the names of any websites or people to whom he gave or sold the information. The permanent injunction does not prevent Lynn from doing further research on Cisco products, provided it is done legally.

Cisco disputed that Lynn's actions were aimed at helping protect the Internet.

"Cisco’s actions (regarding) Mr. Lynn and Black Hat were not based on the fact that a flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure," the networking giant said in a statement on Thursday. "It is Cisco’s opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet."

On Wednesday, Lynn showed off a way to compromise Cisco Internet Operating System (IOS), the core software for the company's popular routing and gateway hardware. Using such techniques, which Lynn and other security experts believe the Chinese are likely already exploiting, an attacker could run programs on Cisco routers.

While some security experts at Black Hat said that they never doubted running code on the routers was possible, the prevailing wisdom was that Cisco network hardware had enough safeguards in place that external code could not be run on the systems.

"No one really thought this (running code on Cisco routers) was possible, until Wednesday, so no one really looked to defend against it," Lynn said. "A router is like any computer in that, when it has a vulnerability, you can hack it."

The presentation followed three weeks of negotiations between Cisco, Internet Security Systems and the Black Hat Conference management to resolve the situation. Under pressure from Cisco, ISS had withdrawn the presentation on Monday, and the Black Hat Conference management allowed the network giant's employees to rip out the 10-page presentation from the conference proceedings.

The settlement is reasonable, said Jennifer Granick, executive director for Stanford University's Center for Internet and Society and the attorney representing Lynn in the negotiations. Because it does not prevent Lynn from further research into Cisco's hardware and software, provided access to both is done legally, the researcher can continue to analyze Cisco's security measures, she said.

Moreover, Lynn would have been at a disadvantage if he tried to fight the networking giant, she said.

"Cisco has a gazillion dollars and he is an unemployed guy," Granick said. "It is hard to take on someone with deep pockets."

Other researchers believed that the settlement prematurely closed the chapter on a case that could have highlighted the legitimate concerns of independent security researchers.

"The whole attempt at security through obscurity is amazing, especially when a big company like Cisco tries to keep a researcher quiet," said Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security.

Cisco will likely need to repair relations with the security research community, if they want cooperation, rather than contention, in the future, Maiffret said.

"People are definitely going to want to find more vulnerabilities," because they know they can gain control of a router, he said. "And now people aren't going to care to report things to Cisco."

The incident also foreshadows what future legal spats might look like, said Stanford's Granick. Cisco had argued during talks that reverse engineering is against the end-user license agreement (EULA). Such "no reverse engineering" clauses are a common provision in such licenses, and while the average user does not need to care about that, the provision could stifle legitimate security research if courts agree to enforce it, she said.

"You have EULAs that tell people they can't reverse engineer and companies who are ready to levy the most severe penalties for anyone who breaks those agreements," Granick said. "It is time to begin to worry about the rights that companies are trying to take away from us." ®

Related stories

Cisco, ISS file suit against rogue researcher
Cisco patches security software
Cisco source code theft part of 'mega-hack'
Unholy trio pose DDoS risk for Cisco kit
Cisco patches VoIP vuln

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
The triumph of VVOL: Everyone's jumping into bed with VMware
'Bandwagon'? Yes, we're on it and so what, say big dogs
Carbon tax repeal won't see data centre operators cut prices
Rackspace says electricity isn't a major cost, Equinix promises 'no levy'
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.