8 Comments

Summary:

The U.S. networking equipment manufacturer, which has already warned over the revenue implications of the Snowden revelations, says it is trying to find out more about the NSA’s alleged exploitation of its security architecture.

cisco

Cisco is investigating a claim by Germany’s Der Spiegel that the company is among many whose devices have been backdoored by the NSA to assist in the agency’s espionage efforts.

The Sunday article, which was based on leaked NSA documents, said a specialist NSA hacker unit had “burrowed its way into nearly all the security architecture made by the major players in the industry — including American global market leader Cisco and its Chinese competitor Huawei.” The report also named a variety of other manufacturers, both American and non-U.S., as targets of NSA cracking.

In the case of Cisco, documents published by Der Spiegel on Monday show the affected products to include the company’s 500-series PIX and ASA (5505, 5510, 5520, 5540 and 5550) firewalls. However, the documents date back to 2007, and newer products may also have been cracked.

In a blog post on Sunday, Cisco said it was “deeply concerned with anything that may impact the integrity of our products or our customers’ networks” and was trying to find out more about the claims.

Cisco Chief Security Officer John Stewart wrote:

“We are committed to avoiding security issues in our products, and handling issues professionally when they arise. Our Trustworthy Systems initiatives, Cisco Secure Development Lifecycle, Cisco Common Crypto models, and Product Security Incident Response Team (PSIRT) and Vulnerability Disclosure policies are all industry-leading examples of our commitment to our customers. This is central to how we earn and maintain trust.

“At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it.

“As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products.”

The company also published an official security response late on Sunday, saying it had requested Der Spiegel‘s documents and noting that “Cisco development policies prohibit any product behaviors that weaken the security posture of a Cisco device.” This document may not be useful just yet, but it could be updated in future as and when the company has more to tell its customers.

Although the new revelations aren’t exclusively about American firms – Huawei aside, the firmware in Samsung hard drives has apparently also been targeted – they will no doubt add to distrust outside the U.S. of equipment coming from that country. Cisco must be particularly sensitive to backdoor claims at the moment; its revenue warning in November was one of the first from a major U.S. firm to suggest foreign customers have reacted to Edward Snowden’s disclosures by putting big orders on hold.

U.S. manufacturers of networking equipment have long been required by a law called CALEA to build surveillance capabilities into their products. So when Cisco says it never works with governments to include backdoors, it’s worth noting that the company has several pages online describing the “lawful intercept” capabilities built into some of its equipment, allowing voice and data wiretaps.

This article was updated at 5.45am PT to include reference to the specific Cisco firewall products that are affected.

You’re subscribed! If you like, you can update your settings

  1. David, your comments on CALEA seem somewhat out of context. Most Service Providers on a global basis are required by law to support wire tapping as part of their license. CALEA is just the US version of a generic concept of Lawful Intercept (key word hear being lawful). Any vendor wanting to sell to US carriers would need to to support this, not just US vendors. As you note the support of the specs is public. IMO this is very different from building in non public ‘backdoors’.

    1. It’s certainly a different kind of backdoor, but public/mandated or not, it’s still a backdoor — and should be mentioned in the context of the wording of Cisco’s post.

      1. David,
        Whilst I agree that vendors often will not always give the full picture, the subjects of Lawful Interception versus non-designed in security back doors are really very different. Indeed, the security involved around the ability to wiretap a target’s communications usually involves warrants and court authority, and extremely tight security to access the capability within the service provider (often requiring the specific staff to have high level security clearance and in some countries, a Tempest qualified room for the security staff to operate in). Whilst the capability may not be general knowledge, it’s definitely a secure “side door” more than hidden access.

        1. Rob

          I agree. The calea technology is more like a public front door. The sorts of things being described in der spiegel seem completely different. There’s a detailed, more technical article on this on the register

          http://www.theregister.co.uk/2013/12/31/nsa_weapons_catalogue_promises_pwnage_at_the_speed_of_light/?page=2

  2. I don’t think there are modules used in Cisco devices (inside) for wiretapping. Can’t accept false allegations. They may have the capability to tap things. It’s a kind of ethical hacking. But, it doesn’t mean that they are the culprit. nevertheless, they are the best!

  3. It doesn’t concern me too much that the NSA has this information, as they are on “our” side for the most part. What concerns me is that if the NSA has it, there’s a high likely hood that people who are not on our side probably have it too…

  4. haha, the play dumb strategy

  5. If I were a user of security equipment concerned that I actually meet the security requirements of my service level agreements, then I would design my own equipment. There is no nuance in security, the door is either open or it is closed. If you want real security do not purchase American made equipment designed to secure assets from everyone except the NSA.
    Build your own gear or suffer the consequences like Google, Yahoo, Microsoft, Cisco…..

Comments have been disabled for this post