back to article HTTPSohopeless: 26,000 Telstra Cisco boxen open to device hijacking

More than 26,000 Cisco devices sold by Australia's dominant telco Telstra are open to hijacking via hardcoded SSH login keys and SSL certificates. The baked-in HTTPS server-side certificates and SSH host keys were found by Sec Consult during a study of thousands of router and Internet of Things gizmos. Cisco warns that …

  1. gollux

    Welcome to the IoT which is in reality the IoC

    Cisco is increasingly a high dollar trash marketer, the extra you pay for the name is increasingly for high performance security leakage.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Internet of Crap? Cnuts? Cameron? Cisco? CocoChanel?

      1. DryBones

        Well, you know, it's right up there with POS for dual meanings...

  2. Anonymous Coward
    Anonymous Coward

    CERT's right

    Even a rip and replace doesn't help, fraught with uncertainty about the new device's bundles of joy in new/old vulnerabilities.

  3. Mark 85 Silver badge

    Is there a workaround or isn't there?

    First we read: There are no patches or workarounds available for the security blunder, which potentially affect millions of users.

    Followed in the same paragraph with: One workaround would be to ensure the SSH and HTTPS configuration servers in the routers are firewalled off from harm.

    I guess it's time to toss Cisco into the scrap heap...

    1. Charles 9 Silver badge

      Re: Is there a workaround or isn't there?

      And replace it with WHAT, pray?

      Because if one of the biggest names on the Internet is selling eternally-vulnerable unpatchable hardware, what does that say of every other supplier on the market? Rip and replace simply means someone else when you bend over.

      1. Mark 85 Silver badge

        Re: Is there a workaround or isn't there?

        Yeah. you're right.. therein is the problem... Luckily I don't have to make those decisions cause I don't think there would be anyone left on the supplier list not just for switches/routers but PC's, phones, ISP/data services, OS's, programs, apps, etc. Makes me sad and angry at the same time...

        1. g e

          Re: Is there a workaround or isn't there?

          Is it hardwired as in ROM or malleable as in Flash firmware?

          Couldn't an updater potentially do something like read the device serial and mangle it with the current timestamp whilst upgrading firmware and write that key?

          Disclaimer: I am very woolly on keys and things

      2. Steve Knox

        Re: Is there a workaround or isn't there?

        Because if one of the biggest names on the Internet is selling eternally-vulnerable unpatchable hardware, what does that say of every other supplier on the market?

        Absolutely nothing.

        You're making two mistakes here; you're assuming that current company size is positively correlated with current product quality*, and presuming that, because a member of a set demonstrates a particular quality, all other members of that set must demonstrate the same quality**.

        * For simple counterexamples, consider the cases of Wal-Mart and McDonalds.

        ** If these companies were people, and their industry were their race, that would make you a racist. But they're not, and it isn't, so you're not.

        1. Anonymous Coward
          Anonymous Coward

          Re: Is there a workaround or isn't there?

          Not just any member. A leading member of that industry. A member everyone else is trying to at least mimic if not top because they're successful. And industries such as these can be pretty cutthroat: meaning if you don't throw out the moral rulebook (like with Walmart and McDonald's), you won't last long. Now, fast food has plenty of latitude so competition like Burger King and Wendy's and so on can stick around, but they're all pretty much peas in the same pod. Anyone else who tries to play on quality soon faces the dual pressures of cost vs. customers with thin wallets and they eventually either join the club, niche, or disappear. But in the big-boxers, there's very little room. Walmart's still up top while Target's overtaking the fading Kmart for #2, and there's nought else after that.

  4. Trevor_Pott Gold badge

    Cisco: a trustworthy member of the IT community.

    1. Stoneshop Silver badge
      Pint

      a trustworthy member

      You missepled "thrustworthy". Worthy of thrusting onto the scrapheap.

      Which, apropos of not very much at all, reminds me of the prank a couple of friends pulled off at an event. It started with a Cisco 2900 and a pickaxe, which turned the 2900 into a very dented 2900, nearly split down the middle. The circuit board was removed and two 8-port desktop switches fitted, so that 14 ports could still work. A few strips of sticking plaster were applied to cover the more ragged edges of the case, and then they casually walked in to the event NOC, to have an uplink activated.

      As the network team tended to use 2900's as field distribution switches, they understandably assumed it was one of theirs and collectively went rather pale. Demonstrating that the switch still worked when plugged in added a good pile of incredulity to the paleness.

  5. xj650t
    Joke

    @Trevor_Pott

    You forgot the joke icon.

    FTFY

    1. Vic

      Re: @Trevor_Pott

      You forgot the joke icon.

      He did have "Cisco" in the body of the post; that makes the joke icon redundant, doesn't it?

      Vic.

  6. Anonymous Coward
    Anonymous Coward

    So which group of black hats infiltrated (or made an offer that couldn't be refused by) the design team responsible for these devices?

    1. Sanctimonious Prick
      Coat

      @AC "So which group of black hats infiltrated"

      T.L.A.

      -just reaching for my badge :)

  7. Stevie Silver badge

    Bah!

    The answer is to get rod of web portals and implement RLCFC*

    * - Realy Long Cat Five Cables

    1. Stevie Silver badge

      Re: Bah!

      "get rod" - magic.

      Fucking iPad softkeyboard. Fucking auto-correct. Fucking Long Island Rail Road trains with their Voyage to the Bottom of the Sea lateral rocking.

      Double Bah!

      1. DryBones

        Erm...

        To possibly derail the thread, can you not turn off AutoCorrect on an iThing? My Android devices let me set it to give word suggestions and to flag words that it thinks are misspelled, but not actually take it upon itself to change them for me I'd kind of expect similar on iOS...

  8. channel extended

    Promotion?

    Appearently one of the NSA agents working at Cisco got promoted to management.

  9. eldakka Silver badge
    Holmes

    This is not a bug.

    NSL's and FISA warrants probably compelled Cisco to embed the common SSL certs and give a copy to the NSA.

    They didn't want to have to manage device-specific certs, millions of them, so they just dumped a couple hundred into devices so the NSA only has to check against a small database of possible certs to use for espionage purposes (where espionage has been re-defined to mean mass surveillance on everyone irrespective of suspicion).

  10. NBNnigel

    Doublespeak

    Hah, I love the way Cisco has worded their explanation to make it seem like the device is still secure. Yes, SSL MITM is an attack on the client. But they've worded it to be misinterpreted as "hard-coded uniform SSH keys & SSL MITM are both attacks on the client." Nope. Wrong.

    I assume they made the disclosure because someone other than the NSA obtained the SSH key (yes, the ONE key). And, just a wild guess here, I'm guessing it's the SSH key for root. Which means those routers are wide open; an attacker could do literally anything they wanted to with a root shell into those routers. Like non-HTTP traffic sniffing, exploiting trust relationships, injecting (seemingly) signed code into windows updates etc.

    These are just consumer routers right? Not backbone routers? Otherwise I might be staying off the net for a few days...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019