LAS VEGAS -- A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit.
Michael Lynn, a former research analyst with Internet Security Systems, quit his job at ISS Tuesday morning before disclosing the flaw at Black Hat Briefings, a conference for computer security professionals held annually here.
The security hole in Cisco IOS, the company's "infrastructure operating system" that controls its routers, was patched by Cisco in April, Lynn said, and the flawed version is no longer available for download. But Cisco didn't want the information disclosed until next year when a new version of the operating system would be out of beta testing and ready for distribution.
Routers are devices that direct information through a network. Cisco products account for the majority of routers that operate the backbone of the internet and many company networks.
Lynn likened IOS to Windows XP, for its ubiquity.
"But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?"
Lynn decided to speak now, he said, because the source code for Cisco IOS was recently stolen for the second time, and he felt he could no longer remain silent.
"Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret."
Lynn said that routers with updated firmware would likely be safe for now, but he was concerned that if one flaw existed, others did as well. It was possible to imagine a future scenario in which an attacker could write a worm that swiftly runs through Cisco routers and shuts them down behind it, essentially launching the kind of electronic Pearl Harbor attack that politicians have been warning about for several years.
"There are people out there looking for it, there are people who have probably found it who could be using it against either national infrastructure or any enterprise," said Ali-Reza Anghaie, a senior security engineer with an aerospace firm, who was in the audience.
The flaw that Lynn described would also allow more subtle attacks, because it permits a sophisticated attacker to gain complete control of the router. An attacker could sniff all traffic going over a network and alter it to, for example, read e-mail, prevent it from reaching its recipient or even change words in a message without the correspondents knowing.
During his talk, Lynn demonstrated an attack in real time using his own router, but did not allow the audience to see the steps. The attack took less than a minute to execute.
According to Lynn, ISS was working with Cisco to assess its products when the bug was found. The hole was discovered by reverse-engineering the IOS code.
Lynn said he had approval for his talk from both ISS and Cisco until last Friday, when the two companies suddenly changed their minds and threatened to sue him and conference organizers if he went through with his presentation.
Cisco spokesman John Noh wouldn't comment on whether the company threatened a lawsuit, but said, "Cisco believes the information that Mr. Lynn presented at Black Hat today was illegally obtained."
"It's unfortunate that he took on the route he did," said Noh. "As responsible corporations, Cisco and ISS have a thorough process of disclosure and communication in talking about matters such as this.... Those were the steps we were taking in terms of postponing this presentation."
An ISS representative claimed the company withdrew the talk because the "research wasn't quite complete."
"We were talking with Cisco to make sure the research was valid," said ISS spokeswoman Angela Frechette. "But it was a decision made internally at ISS."
Anghaie said the move made him mistrust ISS.
"A few years ago it was rumored that ISS would hold back on certain things because (they're in the business of) providing solutions," Anghaie said. "But now you've got full public confirmation that they'll submit to the will of a Cisco or Microsoft, and that's not fair to their customers.... If they're willing to back down and leave an employee ... out to hang, well what are they going to do for customers?"
Lynn closed his talk by directing the audience to his resume and asking if anyone could give him a job.
"In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."
Known Hole Aided T-Mobile Breach
