Cisco's IOS Code 'Compromised'
Hackers have obtained source code for Cisco Systems Inc.'s (Nasdaq: CSCO) Internetwork Operating System (IOS) 12.3 Operating System, according to a report released over the weekend.
The significance is hard to determine, but it could help hackers identify security vulnerabilities that would enable them to disable routers and take down parts of the Internet.
The risk of this happening depends on how many security vulnerabilities exist in the code and what exactly has been stolen. Different versions of IOS Release 12.3 are used in a wide variety of Cisco equipment, including its 7000 series routers and Catalyst 6000 switches (see Cisco's Release Notes).
Cisco issued the following statement this morning: "Cisco is aware that a potential compromise of its proprietary information occurred and was reported on a public website just prior to the weekend. The Cisco Information Security team is looking into this matter and investigating what happened."
Russian Website SecurityLab.ru broke the news of the IOS theft. One of the parties claiming responsibility fed snippets of code to the site's administrators as proof of the deed; the snippets are posted at http://www.securitylab.ru/45222.html and http://www.securitylab.ru/45223.html.
To the extent that Web translations can be trusted, the site appears to be saying Cisco's network was hacked, leading to 800 Mbytes of source code being taken.
There's a chance it's the real thing. Routing expert and former Cisco employee Tony Li posted to a mailing list for the North American Network Operators' Group (NANOG) saying the code appears "(approximately) genuine" and includes "normal calls to IOS infrastructure routines." Comments in the posted code indicate it was written in June 1996 by Kirk Lougheed.
On the plus side, router code is more complex than Microsoft Corp. (Nasdaq: MSFT) code. Routing expertise isn't as widespread as PC operating system knowledge. And to do any damage, a hacker probably would have to determine how the modules link to each other and find vulnerabilities in those links, says Frank Dzubeck, president of consulting firm Communications Network Architects.
Another factor is the age of the compromised code. Newer elements of IOS haven't been implemented yet or, in the case of IPv6, may apply primarily to Asia but not to Cisco's entire customer base, making any damage less apocalyptic. On the other hand, certain aspects of routing code trace back to IOS's beginnings; should that code fall in the wrong hands, it could force Cisco to issue patches applying to every prior release, a case worse than what Microsoft faces with its patches, Dzubeck says.
"There are people running [Cisco code] six or eight releases back," he says. "The average guy running a small router never changes code. And then, AT&T and some of these big guys are running several different instances of code."
Possibly worst of all, though, are the implications to Cisco's business should the code become public domain. "Now you have no problems with any vendor being compatible with Cisco. You suddenly reduce the hardware to a commodity," Dzubeck says. "It would disenfranchise Cisco, because if you ask what Cisco is as a company, it's IOS."
Of course, Cisco could try to litigate or use the criminal justice system to track down the thieves, if in fact their were any -- but even then it will be hard to undo any damage.
That -- along with the possibility that Cisco's own network was breached, bringing its security features under question -- makes Cisco's explanation of the weekend's events crucial. "This week, a whole lot of information has to come out of Cisco," Dzubeck says. "If they stonewall, there are going to be a lot of problems."
— Craig Matsumoto, Senior Editor, Light Reading