A recent report from Red Balloon pits the security of millions of Cisco Routers around the world for a serious test. The report labels the potential exploit termed as “Thrangrycat“, a Cisco Router Bug in the routers. It can be exploited to gain access to the data flowing through the huge number of Cisco devices around the world.
The security research Firm Red Balloon spent around $60,000 and years of research to bring this vulnerability in front of the world. Cisco routers, specifically the Cisco 1001-X, are being compromised and could cause a global meltdown. These devices are used in everything from shopping malls, to corporate offices and to research institutions.
Cisco Router Bug Is A Physical Flaw
The hackers demonstrated the vulnerability by using two steps. There is a bug inside the Cisco IOS operating system, which allows hackers to gain root access to the router. Using that access hackers can disable the router’s most fundamental security feature known as the Trust Anchor.
Seemingly, the same steps can be repeated around millions of Cisco devices around the world and data streams can be exploited for nefarious purposes.
The Trust Anchor is an additional layer of security put in place by CISCO and acts as the final fail-safe. Several companies also use this type of solution in their hardware products. For example, Apple uses secure Enclaves, Intel uses SGX, and ARM-based CPUs utilize Trust Zone.
The Trust Anchor was supposed to act as the ultimate firewall towards any hack in the system, but it too had a vulnerability. There is a component called FPGA (Field Programmable Gate Array). These are parts of the Trust Anchor and are present as additional processors besides the main CPUs in the form of microcontrollers.
The difference between an FPGA circuit and a normal CPU is that the circuit of the former can be changed even if they’re already in use in a device.
How “Thrangrycat” Hack Is Executed
The FPGA uses functions written inside the Bitstream. These commands are custom codes written by manufacturers themselves. Bitstream commands dictate the opening and closing of logic gates and require very high computing power to alter.
Whenever the Trust Anchor detects a compromise, it waits for 100 seconds and kills the power. The pause is dedicated to deploying anti-hacking measures.
Researchers found a workaround of this barrier by locating the reset power pin which does the above function. The scientists used a trial-and-error method on several pins until they found the right one. They traced the pin back to its particular bit-stream and modified it.
The hack made the device boot normally even when the Trust Anchor was successful in detecting a breach.
The Damage So Far
Cisco has announced a security update and has released a timeline for fixing the issue. However, the founder of Red Balloon, Cui believes that the vulnerability is at a hardware level.
He demonstrated a physical flaw in Cisco 1001-X and wants the company to make architectural changes.
Although no reports of Cisco routers being compromised have been registered yet. However, as shown by Cui and his team, the user might not even know if their device was compromised in the first place.
The solution to this problem, at least at the moment, requires Cisco to make an investment and fix this vulnerability — before it’s too late.