Backdoors Keep Appearing In Cisco's Routers

Over the past few months, not one, not two, but five different backdoors joined the list of security flaws in Cisco routers.

Cisco Architecture for Lawful Intercept

Way back in 2004, Cisco wrote an IETF proposal for a “lawful intercept” backdoor for routers, which law enforcement could use to remotely log in to routers. Years later, in 2010, an IBM security researcher showed how this protocol could be abused by malicious attackers to take over Cisco IOS routers, which are typically sold to ISPs and other large enterprises.

Attackers could exploit these backdoors and not leave any audit trail. That’s how the lawful intercept protocol was designed so that ISP employees can’t tell when a law enforcement agent logs to the ISP’s routers (even though law enforcement is supposed to gain this access with a court order or other legal access request).

Furthermore, this protocol could be abused by ISP employees because no one else working for the ISP could then tell when someone gained access to the routers via Cisco’s Architecture for Lawful Intercept.

New “Undocumented Backdoors” Appear

In 2013, revelations made by German paper Der Spiegel showed that the NSA was taking advantage of certain backdoors in Cisco’s routers. Cisco denied accusations that it was working with the NSA to implement these backdoors.

In 2014, a new undocumented backdoor was found in Cisco’s routers for small businesses, which could allow attackers to access user credentials and issue arbitrary commands with escalated privileges.

In 2015, a group of state-sponsored attackers started installing a malicious backdoor in Cisco’s routers by taking advantage of many of the routers that kept the default administrative credentials, instead of changing them to something else.

In 2017, Cisco, with help from a Wikileaks data leak, discovered a vulnerability in its own routers that allowed the CIA to remotely command over 300 of Cisco’s switch models via a hardware vulnerability.

Five New Backdoors In Five Months

This year has brought five undocumented backdoors in Cisco’s routers so far, and it isn't over yet. In March, a hardcoded account with the username “cisco” was revealed. The backdoor would have allowed attackers to access over 8.5 million Cisco routers and switches remotely.

That same month, another hardcoded password was found for Cisco's Prime Collaboration Provisioning (PCP) software, which is used for remote installation of Cisco’s video and voice products.

Later this May, Cisco found another undocumented backdoor account in Cisco’s Digital Network Architecture (DNA) Center, used by enterprises for the provisioning of devices across a network.

In June, yet another backdoor account was found in Cisco’s Cisco’s Wide Area Application Services (WAAS), a software tool for Wide Area Network (WAN) traffic optimization.

The most recent backdoor was found in the Cisco Policy Suite, a software suite for ISPs and large companies that can manage a network’s bandwidth policies. The backdoor gives an attacker root access to the network and there are no mitigations against it, other than patching the software with Cisco’s update.

Whether or not the backdoor accounts were created in error, Cisco will need to put an end to them before this lack of care for security starts to affect its business.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • kenjitamura
    Really? A company with such massive market share is this egregiously incompetent and shady? All I can say is I hope they go under and no more cisco routers for me.
    Reply
  • mlee 2500
    Very disappointing to hear about this. Security is increasingly becoming a primary driver in the selection of enterprise networking gear, and given that so much of what USED to make CISCO special has now become a commodity, they really don't have room for these sorts of mistakes.
    Reply
  • rantoc
    Cisco seems to be working hard to obsolete themselves in a world that gets somewhat better at taking security seriously - Beside 99% of the IoT devices...
    Reply
  • newsonline.4000000
    Wait until we discover backdoors in intel LAN/Wifi Chips themselves. just wait few years and you will see.

    After the CPU and Cisco , next will come intel LAN , intel Gbit LAN , 10Gbit lan and AC Wifi chips.

    I dont even think it is safe to make your own router/firewall any more , because the Spy reached the chips themselves , you will need to make your own chips which is impossible.
    Reply
  • stdragon
    I love how everyone talks about security within their networks, but have ZERO thought to outsourcing support to India or China. LOL. Oh man...the fail hurts!
    Reply
  • wirefire99
    The evil 20 years ago. Manufacturer says to VAR, give me your customer data so we can give up better pricing. So you either comply or can't remain competitive. Then the manufacturer eventually takes the customer data and bypasses the VAR. VAR goes out of business anyway.... Today it is the same thing in a new market. take your applications and put them on the cloud, cloud has all your data. If someone offers the right price and the right "data breach" occurs someone can get all of your company data without you even knowing.
    Reply
  • AgentLozen
    Doesn't the term "backdoor" imply that it was intentionally put there by the developer?

    How do we know these are backdoors and not just vulnerabilities?
    Reply
  • Christopher1
    AgentLozen, did you not read? Hardcoded passwords and hardcoded 'secret' accounts.
    Sounds like a backdoor and not a simple vuln to me!
    Reply
  • WHAMMO
    username: cisco
    password: password
    Reply
  • aurvondel
    The Cisco Policy Suite bug is just a default password on a linux VM. You can mitigate it trivially with the 'passwd' command.
    Reply