The security firm Red Balloon has discovered two vulnerabilities in the new Cisco series of routers, which has ramifications for all of the company’s devices.
These findings will likely have implications for all of the company’s enterprise devices issued since 2013. Working with the new Cisco 1001-x series router, the company discovered that remote attacks could allow a hacker to compromise all data and commands passing through it.
Red Balloon, Red Flags
The first of the bugs that Red Balloon found was in Cisco’s IOS operating system which can easily be fixed with a software patch. However, it gets much worse.
With the second vulnerability found, a hacker could easily bypass the fundamental security protections known as Trust Anchor if they were to gain root access. A hacker could even quite easily shut it down quietly, as Red Balloon has demonstrated. This vulnerability applies to most Cisco devices in use today.
The Trust Anchor has been implemented on every enterprise device by Cisco since 2013. What this means that it is possible to bypass the Trust Anchor on hundreds of millions of Cisco devices around the world — everything from routers to firewalls. Given the ubiquity of its products, the ramifications of this discovery cannot be understated.
Cisco Affecting Hundreds of Millions
Ang Cui, founder and CEO of Red Balloon, has said that the discovery has ramifications for so much of our digital infrastructure. As he told Wired:
“We’ve shown that we can quietly and persistently disable the Trust Anchor… we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product.”
The good news is, however, that a hacker would need to gain root access before attempting to bypass the Trust Anchor. Given how easy it was to gain root access through a basic software bug, this might not be as difficult as it seems. Once gaining root access, it becomes very easy to exploit.
The discovered vulnerabilities highlight how risky it is to allow for a single company to calibrate internet access for hundreds of millions. Because Cisco produces the hardware and software as a package for its routers, any vulnerabilities may very well affect all of its products.
Ultimately, Cisco’s standardized IOS is a massive red flag, to begin with. The damning findings by Red Balloon further show the need for a stronger push towards more decentralized forms of internet access.
Do you think this vulnerability has actually put hundreds of millions of users at risk? Should we rethink some of our internet infrastructures as a result? Let us know your thoughts in the comments below.
Images courtesy of Shutterstock.