Black Hat: ISS researcher quits job to detail Cisco flaws

Users of older versions of Cisco's Internet Operating System remain at risk, he says

LAS VEGAS - Internet Security Systems (ISS) research analyst Michael Lynn quit his job to provide information on a serious Cisco Systems router vulnerability at this week's Black Hat USA conference after his company decided not to give a presentation on the flaw.

Lynn felt compelled to quit his job Wednesday morning so that he could give the talk because the Cisco security issues are of vital importance to the Internet's health. "This is the right thing to do," he said, speaking Wednesday to Black Hat attendees, who punctuated his talk with applause. "When you attack the router, you gain control of the network."

Lynn described a now-patched flaw in the Internetwork Operating System (IOS) software used to power Cisco's routers, and to describe the steps he used to gain control of a router. Although Cisco was informed of the flaw by ISS, and patched its firmware in April, users running older versions of the company's software are at risk, he said.

Cisco was unhappy with his talk and had put pressure on both ISS and the Black Hat conference to stop the presentation, Lynn alleged. Cisco could not be reached for comment on this story.

By giving his presentation, Lynn said he hoped to clear up the misconception that Cisco's products are somehow less vulnerable to the kinds of attacks that frequently affect widely used software like the Windows operating system.

"IOS is the Windows XP of the Internet," he said.

After six months of research work, Lynn discovered a way to shut down a Cisco router so that it could not be restarted. In light of the 2004 theft of Cisco's IOS source code, it was possible that attackers could create a devastating worm attack that could shut down many Internet routers, he said.

A recent decision to include a technical feature called "virtual processes," in upcoming versions of IOS would make it easier to create a "routing worm that breaks every router in the world," he said. "When they come out with a version [of their router] with virtual processes, this is a real flaw," he said.

Both Cisco and ISS threatened him with legal action if he gave the presentation, Lynn said. "I'm probably about to be sued into oblivion," he said.

An ISS spokeswoman confirmed that her company asked Black Hat organizers to remove Lynn's presentation, which had included the ISS logo, from the conference materials. While ISS felt that Lynn's presentation required "further review," the company was not planning legal action against its former employee, the spokeswoman said. "There's been no talk of that," she said.

Show organizers literally ripped out the 31 pages containing Lynn's talk from the 1,200 page book of Black Hat presentations handed out to attendees this week. Whether or not the written presentation will be made available remained unclear on Wednesday.

During his presentation, Lynn said he understood how ISS might have had a hard time allowing the talk, given Cisco's objections. "They had to do what was right for their shareholders," he said. "But I had to do what was right for the country and the national infrastructure."

Copyright © 2005 IDG Communications, Inc.