IBM ISS Researcher Exposes Holes In Cisco's Internet Surveillance Architecture Wiretapping architecture could be abused by individuals under surveillance and outside attackers; Cisco reviews recommended fixes
WASHINGTON, D.C. -- Black Hat DC 2010 -- An IBM ISS researcher here today revealed major security holes in a little-known wiretapping architecture for IP networks created by Cisco Systems for law enforcement. The weaknesses could result in an attacker interfering with legal surveillance or performing some unauthorized surveillance of his own.
Tom Cross, manager of X-Force Research at IBM ISS, says he first discovered the Cisco Architecture for Lawful Intercept in IP Networks, which was published as an IETF RFC in 2004, four years ago. The document, also known as IETF RFC 3924, is based on the lawful intercept architecture used by the European Telecommunications Standards Institute, and is implemented in Cisco's edge and switch routers -- the 7600, 10000, 12000, and AS5000 series products. Cross says other vendors also have deployed the architecture within their network devices.
Cross says an alleged criminal could discover that he was under law enforcement's surveillance using the current architecture, allowing him to manipulate or corrupt the information collected or to use the surveillance information for nefarious purposes.
Cisco had previously patched a SNMPv3 vulnerability in its router models used in the wiretapping architecture, but Cross says the architecture itself needs some repair, pointing out multiple weaknesses that could be exploited by attackers -- which he says he handed over to Cisco in December 2008.
Jennifer Greeson, communications director at Cisco, who was on hand at Cross' Black Hat presentation, says Cisco has been looking over his recommendations and, perhaps, how to incorporate them, she says.
"We are confident in our framework. That's why we published it: We recognize that security is very important" in this architecture, Greeson says.
Today was the first time Cross -- who says he had to put the effort on the back burner until recently due to other commitments -- has gone public with his research on the wiretapping architecture's weaknesses. Cisco's legal surveillance framework defines the architecture from which the "mediation device" remotely gathers intelligence on behalf of law enforcement from the surveillance target (someone under law enforcement investigation). Vendors such as Digivox, NICE Systems, Verint, and Utimaco make these systems. "The mediation device is the heart of the architecture," Cross says. "It is used by the administrator to provision" the surveillance and sends instructions to the devices that perform the actual surveillance, he says. That information is then reformatted and sent directly to law enforcement, he says.
Cross listed six weaknesses in Cisco's architecture that could lead to security breaches in surveillance: SNMPv3's susceptibility to brute-force credential discovery; password vulnerability in SNMPv3; lack of audit trails; the surveillance output stream's flexibility; the interface's vulnerability to packet-spoofing; and that the RFC doesn't require encryption.
While Cisco has patched the SNMPv3 authentication flaws (CVE-2008-0960), that doesn't mean its customers all have deployed those patches, he warns. Router patching is a particularly onerous process that often gets superseded by operational disruption concerns.
Even so, Cross says the biggest issues are architectural ones that must be fixed by Cisco and the IETF. "These are harder problems that require more thought," he says.
"My greatest concern is the lack of audit trails," he says. An attacker can "turn off" the audit trail, for instance, leaving the victim organization unaware of the activity. Attacks on routers that haven't patched for the SNMPv3 authentication flaw could easily be tracked with traps that monitor for these attacks, according to Cross.
Cross says Cisco's configuration guide for the architecture recommends that network administrators enable SNMP trap notifications to detect potential threats on SNMPv3 authentication, and it "implies" that traps will be sent for packets that carry an incorrect authentication key or any other packet that isn't part of the approved access list.
"I tested this, and there were no authentication traps. So I sent this to Cisco and said it didn't work," Cross says. "Cisco said the implementation was right, but the documentation was wrong [and rewrote the documentation]. So now it no longer says traps are generated.
"But a network administrator would want to know if his network was under attack."
Cross' recommendations to Cisco and the IETF include using a different port for surveillance, such as SNMP over TCP, which would be less prone to spoofing, limiting the addresses for the output stream, and moving notification control into the router configuration so that network administrators won't be able to monitor surveillance or interfere with it.
ISPs in their deployments for law-enforcement surveillance should not only patch for the SNMPv3 flaw, but also use encryption -- namely IPSec encryption, Cross says. Assigning user-group IP access control lists can help seal the authorized user of the lawful intercept action to the proper mediation device, he says. "Also, build out-of-band management networks," he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio