Cisco hit by source code leak

Cisco Systems is investigating a security breach that may have resulted in the theft of its router operating system source...

Cisco Systems is investigating a security breach that may have resulted in the theft of its router operating system source code.

Last week, attackers broke into Cisco's corporate network and made off with some 800MB of Cisco's IOS 12.3 and 12.3t software, according to Russian security company SecurityLab.

A 2.5MB chunk of code presented as a sample of the Cisco software was later posted on an Internet Relay Chat channel, several independent reports claimed.

"We are aware that a potential compromise of proprietary information occurred, and has been reported on a public website," said Cisco spokesman David Cook.

"A Cisco security team is looking into this matter and investigating what happened."

A person using the alias Franz posted two portions of source code, amounting to a total of 2.5MB, on an IRC channel as proof of the successful hack, according to SecurityLab.

The company has published the first 100 lines of each sample on its website, one called "ipv6_discovery_test.c", copyrighted 2003 and attributed to Ole Troan, and one called "ipv6_tcp.c", copyrighted 1996 and attributed to Kirk Lougheed. Lougheed led development of the operating system for Cisco's first router, the Advanced Gateway Server, according to Cisco, and Troan also appears to be an employee.

The public exposure of Cisco's source code will be highly embarrassing for the company, and could pose a security risk to the internet. Because it is written in language that is human-readable, source code makes it is easier for outsiders to understand how a piece of software works - and to find security holes. "

Theoretically, a major flaw discovered through this method could allow attackers to launch denial-of-service attacks on the networking devices at the backbone of the internet. Cisco controls 62% of the core router market, according to market research firm Dell'Oro Group.

However, possession of source code does not necessarily mean that new flaws will be discovered; they can only be found if Cisco has overlooked them in the first place.

In February, source code for parts of Microsoft's Windows 2000 and Windows NT appeared on the internet, and a security researcher said he found a minor Internet Explorer bug by analysing the code. However, the flaw had already been found and patched by Microsoft during an internal source-code audit.

Attacks on networking hardware flaws are less common than on servers or desktops, experts said. Cisco warned of major security issues last July and in March and April, among others, but none have resulted in attacks to date.

Matthew Broersma writes for

Read more on IT risk management