Want CNET to notify you of price drops and the latest stories?

Cisco hits back at flaw researcher

Networking giant and ISS ask a court to silence the security expert who described how attackers could take over Cisco routers.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
LAS VEGAS--Cisco Systems has taken legal action to keep a researcher from further discussing a hack into its router software.

The networking giant and Internet Security Systems jointly filed a request Wednesday for a temporary restraining order against Michael Lynn and the organizers of the Black Hat security conference. The motion came after Lynn showed in a presentation how attackers could take over Cisco routers--a problem that he said could bring the Internet to its knees.

The filing in U.S. District Court for the Northern District of California asks the court to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," said John Noh, a Cisco spokesman.

"It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual property rights," Noh added.

Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said.

The legal moves came Wednesday afternoon, only hours after Lynn gave the talk at the Black Hat security conference here. Lynn told the audience that he had quit his job as a researcher at ISS to deliver the presentation, after ISS had decided to pull the session. Notes on the vulnerability and the talk, "The Holy Grail: Cisco IOS Shellcode and Remote Execution," were removed from the conference proceedings, leaving a gap in the thick book.

Lynn outlined how to run attack code on Cisco's Internetwork Operating System by exploiting a known security flaw in IOS. The software runs on Cisco routers, which make up the infrastructure of the Internet. A widespread attack could badly hurt the Internet, he said.

The actual flaw he exploited for his attack was reported to Cisco and has been fixed in recent releases of IOS, experts attending Black Hat said.

The ISS research team, including Lynn, on Monday decided to cancel the presentation, Chris Rouland, chief technology officer at ISS, said in an interview. "It wasn't ready yet," he said. Lynn resigned from ISS on Wednesday morning and delivered the presentation anyway, Rouland added.

Lynn presented ISS research while he was no longer an employee, Rouland said.

Adding to the controversy, a source close to the Black Hat organization said that it wasn't ISS and Lynn who wanted to cancel the presentation, but Cisco. Lynn was asked to give a different talk, one on Voice over Internet Protocol security, the source said.

But ISS' Rouland said there "was never a VoIP presentation" and that Wednesday's session was supposed to be cancelled altogether.

"The research is very important, and the underlying work is important, but we need to work with Cisco to determine the full impact," Rouland said.

Cisco was involved in pulling the presentation, a source close to the company said. The networking giant had discussions with ISS and they mutually agreed that the research was not yet fully baked, the source said.

The demonstration on Wednesday showed an attack on a directly connected router, not a remote attack over the Internet. "You could bring down your own router, but not a remote one," Rouland said.

One Black Hat attendee said he was impressed with Lynn's presentation. "He got a shell really easy and showed a basic outline how to do it. A lot of folks have said this could not be done, and he sat up there and did it," said Darryl Taylor, a security researcher. "Shell" is a command prompt that gives control over the operating system.

Noh said that Lynn's presentation did not disclose information about a new security vulnerability or new security flaws. "His research explored possible ways to expand the exploitation of existing vulnerabilities affecting routers," the Cisco spokesman said.

Cisco has patched several flaws in IOS over the past year. Last year, the San Jose, Calif., networking giant said that part of the IOS source code had been stolen, raising fears of more security bugs being found.

On Wednesday, Noh reiterated the company's usual advice that customers upgrade their software to the latest versions to mitigate vulnerabilities.

Following his presentation, Lynn displayed his resume to the audience and announced he was looking for a job. Lynn was not available for comment. Representatives of the Black Hat organization said the researcher was meeting with lawyers.