cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18510
Views
15
Helpful
18
Replies

Backdoor in Cisco Routers and Firewalls.

CiscoRV110W
Level 1
Level 1

The more I read about this NSA scandal (and yes, I do consider it a scandal) the less I trust US-based hardware and software companies.  There is no reason for anyone to doubt that all Cisco hardware comes with a backdoor.  Since such backdoors most likely exist it is a matter of time before hackers discover and exploit them.  This has already happened to Microsoft a number of times and there is no reason it could not happen to Cisco.  We no longer trust any of our Cisco hardware and have already started researching network alternatives.

This is no longer a crackpot conspiracy theory, it is reality.

In all liklihood we may use a series of firewalls to further insulate our network from intrusion.  To keep costs down we may keep our existing Cisco hardware in this topology, but we will not replace it with Cisco hardware when it fails or needs to be upgraded.  I am doing the same with my home network.

Over the past few months we have already moved all of our email to secure overseas servers and changed all of our antivirus software from McAfee to AVG and Avast.  We are also researching Linux distros to replace Microsoft.

If Cisco wants to protect their brand they need to either take a stand or see their market share continue to erode.  Surely there is ONE CEO at an American company that will take this stand and be a hero rather than continue to be a lap dog.

2 Accepted Solutions

Accepted Solutions

Tagir Temirgaliyev
Spotlight
Spotlight

Hi

use open source linux based firewalls and routers.

and check source cod

View solution in original post

1. Show me where Cisco has had a hardware bug/malware in their equipment

The line needs to be drawn somewhere so we are focusing on the software end by using Open Source software and focusing on the hardware end by avoiding American hardware.

So you're saying it's OK to have anyone in the world develop the software, but only non-American companies can build the hardware??? Is it OK for North Korea to build our hardware? So the US government should "trust" that hardware built in another country doesn't have any hardware bugs or malware? Why do only American companies build bad hardware?

2. Trust Cisco again? How did they earn your trust in the first place? Seriously. What did they do that made you trust and believe in their products and the company?

3. If you want to bash Cisco's (or Linksys for a while) SMB gear, I'm right there with you. I don't like it either. Their Enterprise and Carrier grade equipment is different though. I think you're talking one end of the spectrum and I'm talking about the other.

You keep mentioning open source (which I fully support), but there's backdoors and bugs in that too. Yes the community can review the code and address any issues, but I don't think that happens as fast you think it does.

BTW, these "cheap" consumer routers are not just used by us stupid poor citizens, they are often installed in many large corporations at the fringes of the networks, including on production floors- all across America and the world.  It is good to know that none of them should be trusted to be secure.

I think you're starting to get it! They are insecure and can't be trusted and any engineer worth a salt should not permit them on the network.

And stupid and poor are your words, not mine.

View solution in original post

18 Replies 18

Tagir Temirgaliyev
Spotlight
Spotlight

Hi

use open source linux based firewalls and routers.

and check source cod

Actually this is exactly what we were working on.  Our network now has many layers of security that includes open source Asus routers.  We have an advantage in that our team consists entirely of engineers and programmers who have the technical skills to redesign the network.  We were able to replace the entire network for less than $2000.

Asus has embraced the open source router community much like AMD embraced the overclocking community many years ago.  I predict their router sales will skyrocket as Cisco's continue to decline.

When Cisco welcomed the NSA they sold their soul to the devil.    It is a sad day in America where trust in hardware and software from even former eastern block counties is higher than that from American companies.

Abandoning Microsoft is our current goal.  This will take more time, but by the end of next year we plan on being Microsoft free.

Where's the proof that Cisco has been in on it? From what I've seen it seems like NSA has tried to implement rootkits and there is yet proof that they were successful in doing so.

How will your open source stuff protect you better. Have you checked all of the code? Maybe NSA has already backdoors into that code as well.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

I have never used such simple words on a Cisco Technical forum...... but the original poster is a genuine idiot.

Collin Clark
VIP Alumni
VIP Alumni

I love conspiracy theories. Even better are the tools that spread them. Feel free to move your gear to China based companies. They have a fantastic reputation of corporate espionage. BTW, I shot Kennedy from the grassy knoll and Elvis lives in my basement apartment.


Sent from Cisco Technical Support Android App

Yeah, you are right.  I was just being paranoid.  Silly me.

http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/

Do you think if this is possible with one type of hardware it is not possible with other types of hardware?  My biggest concern with these backdoors is NOT that the NSA will hack our systems, it is that the backdoors would eventually be discovered by somebody.

BTW, all of our Cisco hardware was manufactured in... CHINA.

I will keep wearing my tinfoil hat in this case.   Conspiracy theories are only conspiracy theories if they are not proven  true.  So my choices are either trust "American" companies with their  hardware (which has backdoors) or trust opensource equipment which  MIGHT have backdoors, but at least the software is reviewable.  Easy decision.

@Daniel.dib

How will your open source stuff protect you better. Have you checked all  of the code? Maybe NSA has already backdoors into that code as well.

Actually as I mentioned we are a team of engineers and programmers.  One member of our team has actually been reviewing the Tomato Shibby software on his own - he really enjoys such projects.  He is looking at making some custom firmware based on Shibby.  So far he has not seen anything nefarious, and he is looking.

These are software exploits not hardware ones--big difference. It's an easy fix for you; get off the grid completely. Last I heard almost all vulnerabilities have been removed from paper and pen.

As Cisco moves towards IOS-XE and 64-bit code, they are using more and releasing more open source code. A lot of software has vulnerabilities whether it's a router, an application or an operating system. It's part of technology and moving forward.

You certainly can't expect perfection in Linksys/Netgear/DLink type equipment. It's cheap. It needs to be so the consumer will purchase it. The common person can't secure a router or wireless so how much money should be spent on the development of addressing security holes vs new features? If it were more profitable to fix vulnerabilities, vendors would release firmware updates instead of new models with new features.

These are software exploits not  hardware ones--big difference. It's an easy fix for you; get off the  grid completely. Last I heard almost all vulnerabilities have been  removed from paper and pen.

Yes, for the most part it is a software fix, and that is the niche that open source software such as Tomato, IPFire and PFSense fill very well.  Unfortunately hardware too can contain malware - ever hear of a hardware keylogger?  A router could have a chip "inplanted" with similar malware. The line needs to be drawn somewhere so we are focusing on the software end by using Open Source software and focusing on the hardware end by avoiding American hardware.

As  Cisco moves towards IOS-XE and 64-bit code, they are using more and  releasing more open source code. A lot of software has vulnerabilities  whether it's a router, an application or an operating system. It's part  of technology and moving forward.

It is going to be tough to trust Cisco again, open source or not.

You  certainly can't expect perfection in Linksys/Netgear/DLink type  equipment. It's cheap. It needs to be so the consumer will purchase it.  The common person can't secure a router or wireless so how much money  should be spent on the development of addressing security holes vs new  features? If it were more profitable to fix vulnerabilities, vendors  would release firmware updates instead of new models with new features.

That paragraph stunned me.  OK, so in summary the average consumer is not worth Cisco's time to bother making the equipment secure even though they have sold untold millions of them over the last decade?  BTW, these "cheap" consumer routers are not just used by us stupid poor citizens, they are often installed in many large corporations at the fringes of the networks, including on production floors- all across America and the world.  It is good to know that none of them should be trusted to be secure.

1. Show me where Cisco has had a hardware bug/malware in their equipment

The line needs to be drawn somewhere so we are focusing on the software end by using Open Source software and focusing on the hardware end by avoiding American hardware.

So you're saying it's OK to have anyone in the world develop the software, but only non-American companies can build the hardware??? Is it OK for North Korea to build our hardware? So the US government should "trust" that hardware built in another country doesn't have any hardware bugs or malware? Why do only American companies build bad hardware?

2. Trust Cisco again? How did they earn your trust in the first place? Seriously. What did they do that made you trust and believe in their products and the company?

3. If you want to bash Cisco's (or Linksys for a while) SMB gear, I'm right there with you. I don't like it either. Their Enterprise and Carrier grade equipment is different though. I think you're talking one end of the spectrum and I'm talking about the other.

You keep mentioning open source (which I fully support), but there's backdoors and bugs in that too. Yes the community can review the code and address any issues, but I don't think that happens as fast you think it does.

BTW, these "cheap" consumer routers are not just used by us stupid poor citizens, they are often installed in many large corporations at the fringes of the networks, including on production floors- all across America and the world.  It is good to know that none of them should be trusted to be secure.

I think you're starting to get it! They are insecure and can't be trusted and any engineer worth a salt should not permit them on the network.

And stupid and poor are your words, not mine.

1. Show me where Cisco has had a hardware bug/malware in their equipment

Yes, you are right.  It is not a bug - it was an intentional backdoor inserted in the router.  My apologies.

2. Trust Cisco again? How did they earn your trust in the first place?  Seriously. What did they do that made you trust and believe in their  products and the company?

Again, you are right.  I was naiive to trust Cisco.  I, like many other Americans, thought I could trust American companies who sold us firewalls and gave us the promise that they were secure and that I could trust their word.  I was mistaken.  Again, my apologies.

3...You keep mentioning open source (which I fully support), but there's  backdoors and bugs in that too. Yes the community can review the code  and address any issues, but I don't think that happens as fast you think  it does.

So I guess your argument here is we are better off with proprietary software that has backdoors and bugs than open source software that has backdoors and bugs - since it might take some time for the open source people to find these bugs... but we can accept the buggy backdoored software in the Cisco equipment because it is cheap (per your previous post).  Again, solid reasoning.  For the third time I apologize.

Congrats, you win.  I will even give you a correct answer because your logic is so solid and sound.  Keep doin' what you are doin.

And welcome to the United Survellence State of America.

1. You still didn't answer the question

2. Show me the promise Cisco, Juniper or the open source community that promises 100% security

3. Personally I prefer a rich feature set with some bugs vs open source taking years to develop new features. Bugs are a trade off that I'm willing to concede.

You're bouncing around between bugs and intentional backdoors. Which are you most concerned with? Are you completely anti-American or just with network equipment?

No need for welcomes, we knew you were here by the rfid chip in your skull.

1. Actually I did many posts ago, but you were too lazy to go back and look.  Here it is:

http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/

But you already pointed out that this is perfectly acceptable if it is a bug because it is a cheap router, but it isn't a bug it is a backdoor so that is ok too.

2.  They never did, but Cisco did - and they broke the promise.  At least with the open source software there is the opportunity to examine the code.  As I already mentioned beffore one of our staff is now actively involved in the open source community and is building custom code.  He is also looking for backdoors in the released code.

3. So you have never seen open source firewall software capabilities yet claim to know.  Now that we are using it I can tell you that it actually has far more features than the cisco firmware that we were previously using.  FAR MORE FEATURES.  Not only that, my old home firewall (Cisco RV110W) would need to be rebooted on a weekly basis.  The new Tomato-flashed Asus router?  Rock solid for over a month - and again with far more features than the RV110W.  And why is the RV110W web interface so damn slow on page refreshes, even when connected directly to it.  Routers with tomato firmware are instantaneous as should be expected.

So your real concession is that you use buggy (oops, forgot again, those backdoors are intentional so it is ok) proprietary software with fewer features than open source software that is more stable and has more features.  Probably because the open source community has not promised secure equipment while Cisco has, even though they broke that promise.

You are right again -now that I understand what our country stands for I am now officially anti-American.  I was once proud to say I was an American, now I am ashamed as anyone should be.  This is no longer the government of liberty and freedom, it is Orwellian.

BTW, no need for an RFID chip in my skull, just like most Americans I have one in my passport, my driver's license and my credit card.  Plus I can be tracked via my cell phone and my online activity and emails are actively monitored just like everyone elses.

1. Funny, you still have not answered question number one. You think you have, but you clearly did read and understand the question. Show me where Cisco has implanted backdoor hardware. Not software, hardware or do I need to describe the differences to you?

2. Where and how did Cisco promise you 100% security? I'd like to take a look for myself.

3. You're making an assumption that I've never seen open source firewalls. I have. I had a Linksys at one time and I agree the features were lacking so I tried a couple open source firmwares on it. Being a network engineer I wasn't satisfied with the default software or the open source so I purchased an enterprise firewall. Full of features and code releases for bug fixes. You get what you pay for.

Your "proof" of backdoors is weak. Look at the vulnerability and what you have to do to exploit it. It's hardly an intentional backdoor.

I love your sarcasm. It's a typical response to people that have lost their argument. I'm sorry my common sense and logic befuddled you. You've made your point, you can go back to writing your manifesto now.

http://blogs.wsj.com/digits/2014/05/12/greenwald-nsa-plants-backdoors-in-foreign-bound-routers/

Whoopsie!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: