When hackers allegedly broke into Cisco’s corporate network and stole source code for the company’s IOS router software, some feared that malcontents would soon be able to find and exploit flaws in the code to wreak havoc on the Internet. And certainly, the risk of such an attack still remains.
But the biggest damage may end up being that dealt to Cisco’s image. “I would guess that Cisco [Systems Inc.] is more concerned about their loss of intellectual property and the compromises of their security that allowed it,” said Jeff Huegel, director of security at USinternetworking Inc., a hosting and application services provider.
“I would hope that Cisco is also reviewing the lost code to see if they can identify any vulnerabilities and determine if any patches are required.”
Huegel said he isn’t overly concerned about the risks posed by the escape of Cisco’s code into the wild. “Certainly, there is some risk that a dedicated effort to analyze the stolen code could result in discovery of a new vulnerability,” he said.
“But as was the case with the recent theft of Microsoft’s code, rampant identification of serious vulnerabilities and subsequent exploits probably won’t occur.”
The task of finding vulnerabilities within the 800MB of source code allegedly downloaded by hackers off Cisco’s servers is no small matter; it would take a thorough, line-by-line review of the programming code and an extensive knowledge of Cisco router hardware to be able to identify potential vulnerabilities to exploit—ones that were not found by the Cisco developers who wrote the software.
Unless comments were embedded in the code identifying issues that had been left unattended to, it could take months to find such a gap in Cisco’s armor.
Even if a vulnerability is found, it would have to be one that a hacker could execute remotely to pose any sort of threat to Cisco’s customers.
And there’s little in the source code that could easily be leveraged, said Jerry Brady, chief services officer at VeriSign Inc.’s managed security services unit, formerly called Guardent.
“Unlike Windows source code, where there are a lot of arcane proprietary protocols and implementations of protocols that have never seen the light of day before,” Brady said, “the Cisco code uses respected, well-known protocols, and there are lots of people that have already seen the source code—at universities and Cisco partners who need access to the code.”
As a result, Brady said, it’s improbable that hackers will be able to find anything that hasn’t already been addressed by other code reviews. The real damage, he said, is to Cisco’s credibility.
“At the end of the day, how the source code got out originally and whether it indicates a larger security problem at Cisco is the real concern.”
But Brady and others said they doubt that the code was stolen from Cisco’s own network. Because the source is so widely shared, Brady said, it’s more likely that the software was obtained from one of Cisco’s partners’ networks.
Regardless of where the code came from, it’s a black eye for Cisco, right on the heels of the announcement of its strongest quarterly financial performance in years.
And if the code is widely circulated, it could pose even more significant legal concerns—especially if parts of the code leak into open-source projects.
“The big fear is that some curious Linux or other open-source developer is going to get a hold of this code and contaminate a project,” Brady said.
He added that the result could be the kind of ongoing legal conflict that The SCO Group Inc. has been embroiled in over alleged infringements in Linux code.