Welcome to the IoT which is in reality the IoC
Cisco is increasingly a high dollar trash marketer, the extra you pay for the name is increasingly for high performance security leakage.
More than 26,000 Cisco devices sold by Australia's dominant telco Telstra are open to hijacking via hardcoded SSH login keys and SSL certificates. The baked-in HTTPS server-side certificates and SSH host keys were found by Sec Consult during a study of thousands of router and Internet of Things gizmos. Cisco warns that …
First we read: There are no patches or workarounds available for the security blunder, which potentially affect millions of users.
Followed in the same paragraph with: One workaround would be to ensure the SSH and HTTPS configuration servers in the routers are firewalled off from harm.
I guess it's time to toss Cisco into the scrap heap...
And replace it with WHAT, pray?
Because if one of the biggest names on the Internet is selling eternally-vulnerable unpatchable hardware, what does that say of every other supplier on the market? Rip and replace simply means someone else when you bend over.
Yeah. you're right.. therein is the problem... Luckily I don't have to make those decisions cause I don't think there would be anyone left on the supplier list not just for switches/routers but PC's, phones, ISP/data services, OS's, programs, apps, etc. Makes me sad and angry at the same time...
Is it hardwired as in ROM or malleable as in Flash firmware?
Couldn't an updater potentially do something like read the device serial and mangle it with the current timestamp whilst upgrading firmware and write that key?
Disclaimer: I am very woolly on keys and things
Because if one of the biggest names on the Internet is selling eternally-vulnerable unpatchable hardware, what does that say of every other supplier on the market?
Absolutely nothing.
You're making two mistakes here; you're assuming that current company size is positively correlated with current product quality*, and presuming that, because a member of a set demonstrates a particular quality, all other members of that set must demonstrate the same quality**.
* For simple counterexamples, consider the cases of Wal-Mart and McDonalds.
** If these companies were people, and their industry were their race, that would make you a racist. But they're not, and it isn't, so you're not.
Not just any member. A leading member of that industry. A member everyone else is trying to at least mimic if not top because they're successful. And industries such as these can be pretty cutthroat: meaning if you don't throw out the moral rulebook (like with Walmart and McDonald's), you won't last long. Now, fast food has plenty of latitude so competition like Burger King and Wendy's and so on can stick around, but they're all pretty much peas in the same pod. Anyone else who tries to play on quality soon faces the dual pressures of cost vs. customers with thin wallets and they eventually either join the club, niche, or disappear. But in the big-boxers, there's very little room. Walmart's still up top while Target's overtaking the fading Kmart for #2, and there's nought else after that.
You missepled "thrustworthy". Worthy of thrusting onto the scrapheap.
Which, apropos of not very much at all, reminds me of the prank a couple of friends pulled off at an event. It started with a Cisco 2900 and a pickaxe, which turned the 2900 into a very dented 2900, nearly split down the middle. The circuit board was removed and two 8-port desktop switches fitted, so that 14 ports could still work. A few strips of sticking plaster were applied to cover the more ragged edges of the case, and then they casually walked in to the event NOC, to have an uplink activated.
As the network team tended to use 2900's as field distribution switches, they understandably assumed it was one of theirs and collectively went rather pale. Demonstrating that the switch still worked when plugged in added a good pile of incredulity to the paleness.
NSL's and FISA warrants probably compelled Cisco to embed the common SSL certs and give a copy to the NSA.
They didn't want to have to manage device-specific certs, millions of them, so they just dumped a couple hundred into devices so the NSA only has to check against a small database of possible certs to use for espionage purposes (where espionage has been re-defined to mean mass surveillance on everyone irrespective of suspicion).
Hah, I love the way Cisco has worded their explanation to make it seem like the device is still secure. Yes, SSL MITM is an attack on the client. But they've worded it to be misinterpreted as "hard-coded uniform SSH keys & SSL MITM are both attacks on the client." Nope. Wrong.
I assume they made the disclosure because someone other than the NSA obtained the SSH key (yes, the ONE key). And, just a wild guess here, I'm guessing it's the SSH key for root. Which means those routers are wide open; an attacker could do literally anything they wanted to with a root shell into those routers. Like non-HTTP traffic sniffing, exploiting trust relationships, injecting (seemingly) signed code into windows updates etc.
These are just consumer routers right? Not backbone routers? Otherwise I might be staying off the net for a few days...