Experts disagree about seriousness of IOS code theft

While the FBI and Cisco scrambled last week to recover source code stolen from the network giant, expert opinion differs about how serious a threat the incident is for corporate customers.

While the FBI and Cisco scrambled last week to recover source code stolen from the network giant, expert opinion differs about how serious a threat the incident is for corporate customers.

Published reports last week said as much as 800M bytes of source code from Cisco’s IOS software – the core operating system for its routers – was stolen from a company server and posted briefly on a Russian Web site. The code was taken down shortly after it was discovered.

“Cisco will continue to take every measure to protect our intellectual property, employee and customer information,” Cisco said in a statement last week. “Cisco is working with the FBI on this matter.”

Some observers say the source code theft poses a serious threat to IOS users, and that the Internet (because many backbones are Cisco-based) might be at risk. With the once-proprietary knowledge of IOS’ back doors, hackers could compromise enterprise- and carrier-based Cisco gear and cause havoc. Yet other analysts say the issues are more of a problem for Cisco and the FBI, and less of an end user worry.

“This is a serious issue for Cisco, but not so serious an issue for enterprises,” says Frank Dzubeck, president of Communications Network Architects. He says this incident is not like the Microsoft Windows source code theft in February, through which vulnerabilities were published soon after. The fact that routing is a more esoteric world is in Cisco’s favor.

“People have been looking at Microsoft’s binary stuff for a long time and they know how the code works,” Dzubeck says. For someone to create and publish a vulnerability in IOS that could harm companies, he would have to understand how IOS works, and how it links to other modules.

“It’s very different from PC software,” Dzubeck says. “And there are much fewer people who know IOS than people who know Microsoft.”

Another observer is more pessimistic.

“I believe there’s an immediate, impending threat out there,” regarding the IOS code theft, says Babak Pasdar, CTO of IGXglobal, an IT security firm. He says because IOS is a proprietary operating system, part of its security is that the public can’t view back doors and vulnerabilities in the code. With the code out of the bag, malicious users could comb through holes known only to Cisco.

“I would bet dollars to doughnuts that Cisco is sitting on a whole bunch of vulnerabilities [in IOS] that are not public,” Pasdar says. “The right thing for Cisco to do is to make public all of its known vulnerabilities and back doors to IOS.”

The IDG News Service contributed to this report.