NSA able to compromise Cisco, Juniper, Huawei switches

Florian Weimer fw at deneb.enyo.de
Tue Dec 31 18:40:04 UTC 2013


* Randy Bush:

>> Clay Kossmeyer here from the Cisco PSIRT.
>
> shoveling kitty litter as fast as you can, eh?
>
>> http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel
>
> "The article does not discuss or disclose any Cisco product vulnerabilities."
>
> this is disengenuous at best.  from the nsa document copied in der
> spiegel and now many other places:
>
>   "JETPLOW is a firmware persistence implant for Cisco PIX series and
>    ASA firewalls ..."

There's a limit to what can reasonably be called a *product*
vulnerability.  If you physically plant a bug in a phone, does it
exploit a vulnerability in the phone?  I don't think so.
Theoretically, the manufacturer could have filled it completely with
glue.  But the next step up is drilling out some of that to place the
bug, and then you're looking at tamper evidence, and that's an
extremely difficult matter.

Routers are expected to be modular, so it's difficult to avoid that
they have exposed buses with something that approaches DMA capability.
On-site debugging hooks through JTAG ports or similar might be
essential to reduce downtime in case of severe problems, so I doubt
one can get rid of them.  Same for firmware downgrade and recovery
options.

In the end, the defense has to be political, not technical.  "We don't
want to do this because it's wrong", and not "we can't do this because
it's impossible".  After all, what's possible can change very quickly.
Appeasement in the form of lawful intercept turned out to be failure:
even if you comply, it's likely that your own, domestic intelligence
agencies consider your infrastructure, you and your colleagues
legitimate targets.



More information about the NANOG mailing list