back to article Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

If you run Cisco's video surveillance kit, hop over to Switchzilla's support site and download the latest version of its management software. Late last week, the networking giant admitted that its Cisco Video Surveillance Manager Appliance has an undocumented root account with static hard-coded credentials. Reading between …

  1. onefang Silver badge
    Coat

    "It's a giant city-destroy bug - geddit, bug? Software bug?"

    There's a bug in your captionING.

    I'll ged my coat, hopefully de moths haven't been addit.

    1. onefang Silver badge
      Coat

      I'm guessing all those down votes where given to me after the caption was corrected. Tough crowd. I'm gonna need a bigger coat.

      1. Bibbit

        Retrospective justice? That figures given the current political weather. Tough crowd indeed.

        Or maybe they are ant-y punning?

  2. Sampler

    At this point..

    One has to ask, are there any Cisco products without hardcoded admin level accounts on them?

    1. Paul Crawford Silver badge

      Re: At this point..

      And yet governments seem only to ban Chinese kit due to this sort of allegation...

      1. LDS Silver badge

        "yet governments seem only to ban Chinese kit "

        Because those pesky Chinese don't share the keys!

        1. Grikath Silver badge

          Re: "yet governments seem only to ban Chinese kit "

          oh, they might share them... Just not with anyone affiliated with the Orange Monkey.

    2. jobst

      Re: At this point..

      Here, I fixed that for you:

      One has to ask, are there any Hardware products without hardcoded admin level accounts on them?

      I do not think I am too cynical ...

      1. onefang Silver badge

        Re: At this point..

        "One has to ask, are there any Hardware products without hardcoded admin level accounts on them?"

        Looking at the stuff on my computer desk, my other glasses, the analogue thermometer, the stand I use for my phone, the Leatherman, the desk itself, I'm fairly sure none of that hardware has any sort of admin account on them. The TV remote control I'm not so sure about, it IS a smart TV after all.

  3. Khaptain Silver badge

    3 Letters

    "someone created the “secret” account during product development, and forgot about it".

    Maybe it was that nice government agent guy that came in to do an audit ? These things happen you know, on a surprisingly frequent basis.

    And this is professional gear, imagine how many "absent-minded" mistakes will remain when all that IOT shit hits the mass market.... ( On saying that, some of it is already there)

    1. John Sturdy

      Re: 3 Letters

      I'd like to think that a company that large would have all the usual development practices in place, such as code review, so I find it hard to think that it would be accidental. I suspect you're right.

      1. Mario Becroft
        FAIL

        Re: 3 Letters

        Having been in this industry, time-to-market pressures and lack of experienced developers on what sounds like an embedded Linux device makes it likely this was a simple mistake. Cisco probably acquired the system or implemented it from scratch without adequate resourcing and review/oversight...it's common for developers to set a trivial root password to simplifiy development and testing. It's very easy to imagine that being overlooked when it came to release time.

        Not that this is any excuse for operating in that way. But Cisco is so oversized at present that the left hand certainly don't know what the right hand is doing. I doubt they have any rigorourous and effective dedicated IoT security function that applies consistently and effectively aross their diverse product lines, some developed originally in-house and some acquired.

        Believe me, this happens every day, not out of malice (though I don't rule that out) but simply because of organizational inertia.

    2. phuzz Silver badge

      Re: 3 Letters

      Hanlon's razor: Never attribute to malice that which is adequately explained by stupidity.

      ie, it's more likely they fucked up than it is that the government is spying on you.

      1. Anonymous Coward
        Anonymous Coward

        Re: 3 Letters In the spy world Hanlon is a cover.

        A thumb down for not reading up on governments and their latest spy efforts. Then again no need to read material from this decade. Way back in the 1990's officials in the U.S. government officials were being assured that people using commercially available encryption was not a threat.

        But still best to read up on what has been revealed in this last decade. I'd suggest starting by searching Snowden as that will give one many rabbit holes including an idea of how extensive the cooperation between business and governments is.

        1. Anonymous Coward
          Anonymous Coward

          Re: 3 Letters In the spy world Hanlon is a cover.

          "A thumb down for not reading up on governments and their latest spy efforts."

          The government efforts have generally been more sophisticated than "use a static password for the root account when the device is sent from the factory".

          a) its fairly easy to discover

          b) its fairly easy to fix

          There has been a long running history of manufacturers assuming that nobody will know the root/superuser password AND having no sensible precautions to prevent it being exploited (i.e. locking it down to console access only).

          And these methods are routinely used by support techs to troubleshoot issues...

      2. Bibbit

        Re: 3 Letters

        Or they fucked up and the government is spying on you.

  4. Zog_but_not_the_first Silver badge
    Facepalm

    Another pesky "rogue engineer"

    "And I would have gotten away with it too, if it weren't for you meddling kids".

    1. ivan5

      Re: Another pesky "rogue engineer"

      Damn, he outed the government mandated backdoor.

  5. _LC_
    Stop

    Cisco is the backdoor

    Can we just make this short and call Cisco the backdoor?

    By now, there is more than enough evidence to make this a safe claim.

  6. Anonymous Coward
    Anonymous Coward

    Its nice to see that Tech-Valley has finally learned

    From past mistakes and is doing absolutely nothing to get it right.

    Cisco products?

    Just another IoT clusterfck to add to my own personal IoT ban list!

  7. Danny 2 Silver badge

    Faint praise

    I worked for the company that developed the Cisco NMS, and we used to test the hell out of their routers. The best minds of my generation, plus me and one or two other duffers, never found one backdoor or deliberate security issue. That was two decades ago though, I'm a bit dismayed Cisco have lowered themselves to making crap like this.

  8. Destroy All Monsters Silver badge

    UHU

    If they forget about THAT, what ELSE do they forget about?

  9. Anonymous Coward
    Anonymous Coward

    Its just the 3 letter state required login.

    Nothing to see here, now move along.

  10. Ima Ballsy
    Devil

    STFU !!!!

    No way, CISCO has a BUG in it's software ?!?!?!

  11. KLane
    Big Brother

    Darn!

    OK, they found out about that one. Are we still good on the others?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019