So it requires a Cisco router that has a default username and password, and the router has to not have any kind of input firewall for its SSH.<p>Then you log in and install a patched firmware containing your backdoor.<p>It's hardly Cisco specific. Surely any router (or any device for that matter)that has a known default username and password can be exploited in this way?<p>Am I missing something here?
hmm I wonder who could be doing this.<p><a href="https://www.techdirt.com/articles/20140518/17433327281/cisco-goes-straight-to-president-to-complain-about-nsa-intercepting-its-hardware.shtml" rel="nofollow">https://www.techdirt.com/articles/20140518/17433327281/cisco...</a>
FWIW IOS backdoors were already being researched by 2003, this isn't surprising at all, and I imagine by now the true scope of the problem is a little bigger than a few routers
This is why your routers should run open source software.
At least then you can reinstall it and be reasonably assured it does not have malware.<p>Also we need an inventory of where things can be hidden in devices. Are there embedded flash areas where are they?<p>A modern reinstall should:<p>1) Reinstall the operating system from a known good source
2) Flash all firmware and flash chips with known good code.<p>Both operating system and firmware should be open source so you can inspect the code.
First, I don't think this is the NSA. It is far to sloppy for something like this. You probably wouldn't be able to detect them so easily. It is possible to be from another nation state though, or smart attacker. Also, we know that the NSA tries to cover their tracks: <a href="http://arstechnica.com/tech-policy/2014/08/snowden-the-nsa-not-assad-took-syria-off-the-internet-in-2012/" rel="nofollow">http://arstechnica.com/tech-policy/2014/08/snowden-the-nsa-n...</a> "Instead, the TAO’s hackers “bricked” the router, Snowden said. He described the event as an “oh shit” moment, as the TAO operations center team tried to repair the router and cover their tracks, to no avail."<p>What I am confused about is that I assumed IOS images were signed. How are people creating backdoored IOS images without failing signature checking? Maybe they patched rommon?
>The initial infection doesn't appear to exploit any vulnerabilities in Cisco devices. Rather, attackers seem to be taking advantage of routers that use passwords that are factory default
Whoever trusts Cisco at this point are living in la-la land where they refuse to acknowledge the <i>reality</i> that Cisco has been helping governments build surveillance capabilities into its routers to spy on its customers.<p>Whatever negative impact this has on their own business is fully deserved at this point.