Cisco's hardware backdoor software is vulnerable

Cisco’s “back door” standards which are designed to help coppers snuff around communications hardware appears to have a large security hole inside it, according to IBM.

IBM researcher Tom Cross has put Cisco’s system under the microscope at a Black Hat Conference, and found it is too easy to evade. The standard was designed to put Cisco hardware in compliance with EU directives and has apparently been adopted by a number of other hardware makers.

It relies on SNMPv3, creating a variety of options for attack.  The protocol was initially vulnerable to brute force attacks on its authentication system; although Cisco has patched that flaw, there’s no way to determine how many unpatched machines remain in the wild.

SNMP also defaults to operating over UDP, and it’s easy to spoof source addresses and ports for that protocol.   

If you use TCP instead it is possible to limit the addresses that can access the hardware. Communications aren’t encrypted by default, and the system won’t notify administrators when a trace is activated or disabled, meaning that hackers could potentially set up or eliminate surveillance without anyone being aware of it.

Tom Cross warned Cisco about this in December and suggested a few revisions to sort out the problems. Cross warns that even if the standard is fixed there is a huge problem with unpatched systems and it would be a problem updating major pieces of equipment.