Michael Lynn is not the only person out there reverse engineering routers, switches, printers and other embedded systems. Lynn's presentation gave far less info than other people have published. One person has published detailed instructions on how to exploit IOS including code to do the exploit and an example scenario of how to use it. Contrary to what some may be worrying about, it it not the GSRs that are most at risk. It is those old 2500's that are connected to your customers. Imagine that one of those customer routers is exploited, the hacker installs a tunnel, and then proceeds to anonymously probe the customer's network. This is the real risk and it may very well be happening right now to one of your customers. The following is one of the slides from a black hat presentation which is basically a primer on reverse engineering and exploiting embedded systems. --------8X---------------------- How to protect Cisco specific ! Have no overflows in IOS ! Keep your IOS up to date ! Do not run unneeded services (TFTP) ! Tell your IDS about it. Signature: \xFD\x01\x10\xDF\xAB\x12\x34\xCD ! debug sanity might stop less experienced attackers ! The hard way: config-register 0x00 ! Perform logging on a separate segment ! Protect your syslog host ---------8X----------------------- Other slides in the presentation talk about exploits in networked HP printers and various other brands of switches and routers. I think this should serve as a wakeup call to the entire industry that current engineering practices are not good enough any more. We should all be looking to the security auditing work done by the OpenBSD team for an example of how systems can be cleaned up, fixed, and locked down if there is a will to do so. --Michael Dillon