'Hard-to-fix' Cisco Flaw Puts Work Email At Risk

Cisco advertising boardImage copyright Reuters
Image caption Experts worry that there may not be an easy way to verify whether a device has been hacked

Security researchers have discovered serious vulnerabilities affecting dozens of Cisco devices.

The flaws allow hackers to deceive the part of the product hardware that checks whether software updates come from legitimate sources.

Experts believe this could put emails sent within an organisation at risk as they may use compromised routers.

Messages sent externally constitute less of a risk, however, as they tend to be encrypted.

The California-based firm said it is working on "software fixes" for all affected hardware.

Red Balloon Security researchers say they have used a software vulnerability to target and make changes to a piece of hardware called the Trust Anchor on one Cisco router.

"We've shown that we can quietly and persistently disable the Trust Anchor," Red Balloon chief executive Ang Cui, told Wired magazine. "That means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything."

Security experts believe that the vulnerability could cause a major headache for Cisco, which has listed dozens of its products as vulnerable on its website.

"We don't know how many devices could have been affected and it's unlikely Cisco can tell either," said Prof Alan Woodward, a computer security expert based at Surrey University.

"It could cost Cisco a lot of money."

Some have questioned why such a hack was possible in the first place.

Most companies use hardware where critical security functions exist in a "read only" configuration, meaning that the code in the chip cannot be altered once manufactured, said security expert Andrew Tierney of Pen Test partners.

"It's a questionable design decision that Cisco hasn't done this."

The solutions available are limited, said Mr Tierney.

"I can't see how a regular user could check whether their device has been hacked and I can't see a way users could secure a compromised device."

Cisco says that because it is repairing a piece of hardware, a fix will require "on-premise reprogramming."

The company wrote on its website that it is "in the process of developing and releasing software fixes for all affected platforms."

RECENT NEWS

From Chip War To Cloud War: The Next Frontier In Global Tech Competition

The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more

The High Stakes Of Tech Regulation: Security Risks And Market Dynamics

The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more

The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics

Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more

The Data Crunch In AI: Strategies For Sustainability

Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more

Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser

After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more

LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue

In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more

We use cookies to give you the best experience possible. By continuing we’ll assume you’re on board with our cookie policy.