Skip to main content

Backdoors Keep Appearing In Cisco's Routers

Over the past few months, not one, not two, but five different backdoors joined the list of security flaws in Cisco routers.

Cisco Architecture for Lawful Intercept

Way back in 2004, Cisco wrote an IETF proposal for a “lawful intercept” backdoor for routers, which law enforcement could use to remotely log in to routers. Years later, in 2010, an IBM security researcher showed how this protocol could be abused by malicious attackers to take over Cisco IOS routers, which are typically sold to ISPs and other large enterprises.

Attackers could exploit these backdoors and not leave any audit trail. That’s how the lawful intercept protocol was designed so that ISP employees can’t tell when a law enforcement agent logs to the ISP’s routers (even though law enforcement is supposed to gain this access with a court order or other legal access request).

Furthermore, this protocol could be abused by ISP employees because no one else working for the ISP could then tell when someone gained access to the routers via Cisco’s Architecture for Lawful Intercept.

New “Undocumented Backdoors” Appear

In 2013, revelations made by German paper Der Spiegel showed that the NSA was taking advantage of certain backdoors in Cisco’s routers. Cisco denied accusations that it was working with the NSA to implement these backdoors.

In 2014, a new undocumented backdoor was found in Cisco’s routers for small businesses, which could allow attackers to access user credentials and issue arbitrary commands with escalated privileges.

In 2015, a group of state-sponsored attackers started installing a malicious backdoor in Cisco’s routers by taking advantage of many of the routers that kept the default administrative credentials, instead of changing them to something else.

In 2017, Cisco, with help from a Wikileaks data leak, discovered a vulnerability in its own routers that allowed the CIA to remotely command over 300 of Cisco’s switch models via a hardware vulnerability.

Five New Backdoors In Five Months

This year has brought five undocumented backdoors in Cisco’s routers so far, and it isn't over yet. In March, a hardcoded account with the username “cisco” was revealed. The backdoor would have allowed attackers to access over 8.5 million Cisco routers and switches remotely.

That same month, another hardcoded password was found for Cisco's Prime Collaboration Provisioning (PCP) software, which is used for remote installation of Cisco’s video and voice products.

Later this May, Cisco found another undocumented backdoor account in Cisco’s Digital Network Architecture (DNA) Center, used by enterprises for the provisioning of devices across a network.

In June, yet another backdoor account was found in Cisco’s Cisco’s Wide Area Application Services (WAAS), a software tool for Wide Area Network (WAN) traffic optimization.

The most recent backdoor was found in the Cisco Policy Suite, a software suite for ISPs and large companies that can manage a network’s bandwidth policies. The backdoor gives an attacker root access to the network and there are no mitigations against it, other than patching the software with Cisco’s update.

Whether or not the backdoor accounts were created in error, Cisco will need to put an end to them before this lack of care for security starts to affect its business.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.