IOS Theft and Telephony: Something New to Worry About

By Ellen Muraskin  |  Posted 2004-05-20

IOS Theft and Telephony: Something New to Worry About

I assured readers with my first column that my job here is to report on VOIP, not to praise it. Which is why Im just as eager as anyone to get a read on the potential seriousness of the Cisco IOS source code theft and its implications for the reliability of IP-based communications.

As reported by a Russian security Web site and confirmed by Cisco, hackers broke into the switching and routing giants network and stole 800MB of source code for IOS 12.3 and 12.3t. The IOS 12.3 operating system powers Ciscos networking product suite, including routers used in homes and small businesses and the 7000 series that makes up the Internet backbone. All of Ciscos infrastructure products—switches and routers—are exposed.

I wrote five days ago that an IP voice application inherits the security of the data network. If someone can hack into your network infrastructure (typically composed of a Cisco router and switches) and bring it down, obviously, thats not a good inheritance. If your voice traffic is using voice over IP, it relies on the network infrastructure being robust. Whether its Ciscos Call Manager or anyone elses IP PBX youre using, a router ם and very likely thats a Cisco router — fronts the system.

Click here to read Ellen Muraskins column "VOIP Is as Secure as You Make It."

That router faces an IP WAN—a managed network—and as such is probably not the first of the hackers targets. But thats not long-term good news, according to my security maven. The first to be targeted may be the wholesale ISPs—the Sprints and MCIs and AT&Ts—whose lines and infrastructure of routers and switches form enterprises WANs as well as the Internet. Bring that network infrastructure down, and your phone and data system goes down with it. That scenario is the reason why many IP PBXs come with PSTN (traditional Public Switched Telephone Network) lifelines.

Three days after the announcement of the theft, Cisco itself has no immediate assurance to offer the press. They officially reply:

    "Cisco is aware that a potential compromise of its proprietary information occurred and was reported on a public website just prior to the weekend. Cisco is fully investigating what happened. As a matter of policy, we take security very seriously and we continue to take every measure to protect our intellectual property, employee and customer information. Cisco will remain focused on its customers success and will continue to monitor the situation."

Ive also contacted major Cisco VOIP systems integrators, none of whom is willing to comment on the potential breach. I finally turned to Christopher King, CCISP, of Principal Security Group and former information security practice director at Greenwich Technology Partners, a major Cisco VAR with an active VOIP practice. I asked him if telecom or IT managers have something new to worry about here. His reply: "Hell, yes."

He described the situation as a waiting game, while hackers study the IOS source for vulnerabilities, manually code attacks to bring down routers and then automate the exploit (the attack) so that it proliferates throughout the Internet.

Next page: What network administrators can do.

IOS Theft and Telephony: Something New to Worry About - Page 2

"LAN-only VOIP should be safe until the exploit becomes automated and makes its way into the corporate intranet— not across the Internet, but carried over inside a portable computer—sneakernet. This is how SQL Slammer and many worms got inside enterprises," King said.

The first routers to be attacked, he surmised, will be the ISPs and the corporate Internet-facing access routers. "The ISP will be the first the feel the Cisco pain. The LAN will be hit after the WAN."

ITs (and by extension, VOIP telecoms) best bet right now, he said, is to vigilantly monitor their perimeter router logs for the anomalies that might suggest assault. "Youre not going to know if anything goes wrong until it does," King said. "The idea is that youve been doing this all along, so that you recognize something out of the ordinary. But the hard part for a network administrator is to figure out what constitutes an anomaly. Typically, no one vigilantly monitors their routers and switches for security anomalies."

Isnt there anything in particular to look for? Abnormally high CPU and memory utilization, and excessive dropped packets, King suggested, for starters. "A lot of out-of-the-ordinary log events suggest that the router is trying to do something it shouldnt."

For more opinions on the fallout from the Cisco source code theft, see Channel Zone Editor Steven J. Vaughan-Nichols "Cisco Needs to Come Clean."

Firewalls are not capable of blocking these types of router-based hacks, King said. Even NIDS (network intrusion detection systems) are useless because they are reactive; the pattern of the exploit— the signature—is not yet known and therefore cannot be recognized. And with the size of this exposure—800MB of source code—King agrees that we could be looking at a series of varying attacks across a multitude of IOS-based platforms.

"Typically there are two routers outside corporate firewalls, meaning your telco routers, like AT&T owns. Outside the corporate firewall is a corporate router, too—the demarcation point where the ISPs router connects to the corporations. If Im a hacker, I do a trace route to to find out the path of IP addresses to a companys Web server and then figure out their architecture and pinpoint the router. Theres my target. There are some unprotected routers on the network."

Routers outside the firewall are more vulnerable, but if somebody can subvert a routing protocol (which runs across firewalls), then inside routers can be compromised, too, King said.

The source code theft is not only a potential threat but a major embarrassment to the voice division of Cisco, which has had to reassure potential customers afraid to commit their phone systems to Windows 2000, the OS of the Call Manager core IP PBX. Cisco has pointed out that this Windows is a closed, hardened, proprietary version, therefore not prey to Microsofts hacker vulnerabilities or the system crashes of co-resident programs. Industry wisdom, in fact, was that Cisco was planning on defusing the issue by porting Call Manager to Red Hat Linux. Now its Ciscos own OS thats caught in the crosshairs.

Check out eWEEK.coms VOIP & Telephony Center at for the latest news, views and analysis on voice over IP and telephony.

Rocket Fuel