, SecurityFocus 2005-07-29
LAS VEGAS -- A researcher who showed off a way to remotely compromise Cisco routers has to turn over all materials and agree not to further disseminate information on the flaws or the technique he used to run code on the popular network hardware.
The settlement, finalized Thursday afternoon, brought to a close a controversy that exploded on Wednesday morning when researcher Michael Lynn tendered his resignation to network protection firm Internet Security Systems in order to give a presentation on Cisco security at the Black Hat Security Conference.
"I think I did the right thing, but it was scary," he told reporters in Las Vegas at a Thursday afternoon press conference. "There was a potential for a serious problem coming in the future. I didn't think that the nation's interests were served by waiting a year, when there would be a possibility of a router worm."
Lynn and his attorney agreed to a permanent injunction that prevents him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which follows Black Hat. In addition, Lynn must hand over the names of any Web sites or people to whom he gave or sold the information. The permanent injunction does not prevent Lynn from doing further research on Cisco products provided it is done legally.
Cisco disputed that Lynn's actions were aimed at helping protect the Internet.
"Ciscos actions (regarding) Mr. Lynn and Black Hat were not based on the fact that a flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure," the networking giant said in a statement on Thursday. "It is Ciscos opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet."
On Wednesday, Lynn showed off a way to compromise Cisco Internet Operating System (IOS), the core software for the company's popular routing and gateway hardware. Using such techniques, which Lynn and other security experts believe the Chinese are likely already exploiting, an attacker could run programs on Cisco routers.
While some security experts at Black Hat said that they never doubted running code on the routers was possible, the prevailing wisdom was that Cisco network hardware had enough safeguards in place that external code could not be run on the systems.
"No one really thought this (running code on Cisco routers) was possible, until Wednesday, so no one really looked to defend against it," Lynn said. "A router is like any computer in that, when it has a vulnerability, you can hack it."
The presentation followed three weeks of negotiations between Cisco, Internet Security Systems and the Black Hat Conference management to resolve the situation. Under pressure from Cisco, ISS had withdrawn the presentation on Monday, and the Black Hat Conference management allowed the network giant's employees to rip out the 10-page presentation from the conference proceedings.
The settlement is reasonable, said Jennifer Granick, executive director for Stanford University's Center for Internet and Society and the attorney representing Lynn in the negotiations. Because it does not prevent Lynn from further research into Cisco's hardware and software, provided access to both is done legally, the researcher can continue to analyze Cisco's security measures, she said.
Moreover, Lynn would have been at a disadvantage if he tried to fight the networking giant, she said.
"Cisco has a gazillion dollars and he is an unemployed guy," Granick said. "It is hard to take on someone with deep pockets."
Other researchers believed that the settlement prematurely closed the chapter on a case that could have highlighted the legitimate concerns of independent security researchers.
"The whole attempt at security through obscurity is amazing, especially when a big company like Cisco tries to keep a researcher quiet," said Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security.
Cisco will likely need to repair relations with the security research community, if they want cooperation, rather than contention, in the future, Maiffret said.
"People are definitely going to want to find more vulnerabilities," because they know they can gain control of a router, he said. "And now people aren't going to care to report things to Cisco."
The incident also foreshadows what future legal spats might look like, said Stanford's Granick. Cisco had argued during talks that reverse engineering is against the end-user license agreement (EULA). Such "no reverse engineering" clauses are a common provision in such licenses, and while the average user does not need to care about that, the provision could stifle legitimate security research if courts agree to enforce it, she said.
"You have EULAs that tell people they can't reverse engineer and companies who are ready to levy the most severe penalties for anyone who breaks those agreements," Granick said. "It is time to begin to worry about the rights that companies are trying to take away from us."