Internet Operators Dig into Fallout from Cisco Code Theft

Router industry analysts and developers verify the theft of Cisco's IOS source and look at the code leak's potential security concerns.

As more details were revealed Monday about the theft of Cisco Systems Inc.s IOS Version 12.3 source code, networking analysts pondered the possible outcomes of the release for individual networks and for the entire Internet.

According to Russian security firm SecurityLab, 800MB of source code from Cisco, including a developmental version of the currently released software, was released. The hackers released a portion of the code on the Internet to prove the theft.

Officials of San Jose, Calif.-based Cisco confirmed the report and said the company is investigating the matter.

The authenticity of part of the code was verified by networking industry heavyweight Tony Li in a posting to the North American Network Operators Group (NANOG) message list. Li was Ciscos technical lead routing software engineer for the GSR 12000 and captained Juniper Networks Inc.s M40 Internet backbone router.

The code "certainly looks [approximately] genuine, with Kirks normal coding style and normal calls to IOS infrastructure routines," Li wrote in a message Saturday.

In an interview, Li said many programmers already have access to the source code. "The social engineering or penetration of their security perimeter is not surprising. But its sure embarrassing for Cisco and their self-defending network [marketing campaign]," he said.

But Internet analysts and network operators gave mixed reactions on the eventual result of the source-code theft. Unlike in a client-side vulnerability, the routers sending Internet traffic will be more difficult targets.

"Very few people bother to directly attack the infrastructure of the Internet," said Bill Woodcock, research director with the nonprofit Internet routing education group Packet Clearing House, of Berkeley, Calif.

"Bad guys might throw eggs at a house, but they usually dont tear down the streetlights," Woodcock said. "The network routers themselves dont usually impinge on the consciousness of the baddies out there."

/zimages/6/28571.gifShould you worry about Ciscos source-code theft? Click here for more experts views.

In an interview with, Woodcock pointed to many limiting factors for a widespread attack from the leaked code. For example, the attacker would need inside knowledge about a particular network as well as the time to examine the code.

Even if an exploit could be realized, he said the attack would be difficult to achieve, since packets must be addressed to the CPU of the router and most packets are already filtered.

Next Page: "An attacker would need a lot of knowledge about the router," Woodcock says.