18 comments

[ 4.3 ms ] story [ 45.1 ms ] thread
Which is why banning chinese routers and banning chinese cars than can be remotely disabled by the komrades makes sense.

Selling cars, worldwide, made sense when they weren't always connected to the mother land. Germans selling you a BMW in the 80s? You've got the key: you turn the key. They couldn't turn off all the BMWs if suddenly the US were to be at war with Germany again.

But this madness of cars receiving OTA updates and remote subscriptions and whatnots?

So they burned through weapon stockpile and also through zero day stockpile. Good job, another strategic success which will help in war with China...
Surely they don't need backdoors when they can just exploit the awful network security that American networking equipment vendors already come with out of the box?

The US needed to smuggle Stuxnet in, but with networking equipment there's a treasure trove of shitty practices. Cisco and Juniper have been caught hiding hard-coded password how many times now?

>> Surely they don't need backdoors when they can just exploit the awful network security that American networking equipment vendors already come with out of the box?

For Cisco they literally keep doing it year after year. They are like the Boeing of the IT world. Its unbelievable how they are still in business and growing...and then people worry about Mythos… :-))

Even Bruce Schneier said that Cisco products have had hard-coded passwords made public repeatedly, and "you'd think it would learn.": https://www.schneier.com/blog/archives/2023/10/cisco-cant-st...

Cisco your core vendor...this is way the CEO earns the big bucks...

2010 (CVE-2010-1574): Cisco IE3000 switches shipped with hard-coded SNMP community names public and private.

2017 (CVE-2017-3834): Cisco Aironet 1830/1850 Mobility Express had default credentials that could let an unauthenticated remote attacker take control of the device.

2017 (CVE-2017-6689): Cisco Elastic Services Controller had a default weak hard-coded password for the admin user in the ConfD CLI.

2017 (CVE-2017-12317): Cisco AMP for Endpoints used a static key to protect the connector password

2018 (CVE-2018-0141): Cisco Prime Collaboration Provisioning 11.6 had a hard-coded SSH account password that could allow local access to the underlying Linux OS.

2018 (CVE-2018-0150): Cisco IOS XE had an undocumented privilege-15 account with a default username and password, allowing unauthenticated remote administrative access.

2018 (CVE-2018-15389): Cisco Prime Collaboration Provisioning’s install flow could leave a default hard-coded web admin username/password in place.

2019 (Cisco advisory; credential issue documented in the advisory): Cisco Small Business RV160/RV260/RV340 firmware images were found to contain undocumented accounts and hardcoded password hashes

2021 (CVE-2021-34795): Cisco Catalyst PON ONT devices had a default Telnet credential vulnerability when Telnet was enabled.

2021 (CVE-2021-34757 / CVE-2021-34744): Cisco Business 220 Smart Switches had a static-password issue and a static-key issue

2023 (CVE-2023-20101): Cisco Emergency Responder shipped with static root credentials that could not be changed or deleted, enabling unauthenticated remote login.

2024 (CVE-2024-20412): Cisco Firepower Threat Defense for Firepower 1000/2100/3100/4200 had static accounts with hard-coded passwords

And Juniper? And Fortinet ? Yeap...Our CEOs earn big bucks too...

- Juniper

2015 (CVE-2015-7755 / CVE-2015-7756): Juniper disclosed unauthorized code in ScreenOS that enabled unauthorized remote administrative access and, separately, VPN traffic decryption on affected versions.

2017 (CVE-2017-2343): Juniper SRX Integrated UserFW had hardcoded credentials in its authentication API.

2019 (CVE-2019-0020): Juniper ATP shipped with hard-coded credentials in the Web Collector instance.

2019 (CVE-2019-0030): Juniper ATP used DES with a hardcoded salt for password hashing

- Fortinet

2016 (CVE-2016-1909): FortiOS, FortiAnalyzer, FortiSwitch, and FortiCache had an undocumented Fortimanager_Access account with a hardcoded SSH passphrase.

2019 (CVE-2019-6698): FortiRecorder set a hardcoded admin password on managed FortiCameras.

2019 (CVE-2019-6693): FortiOS / FortiManager / FortiAnalyzer used a hard-coded cryptographic key for sensitive config data

2020 (CVE-2019-16153): FortiSIEM had hard-coded PostgreSQL credentials in its database component.

Cisco continuously blows my mind.

Did you mean to include the Juniper CVE's? In my experience, all vendors are constantly remediating CVE's. I wonder if Cisco has the most vulnerabilities discovered because they also have the most users, largest product offering, highest inventory, etc?

I've had a hell of a time patching Palo Alto's and Fortigates, too. Critical CVEs, day-one RCE attacks. It seems more profitable to rush out new code / new products, and just address vulns as they appear, rather than spending extra development time hardening the software.

Which is why they should have bought networking equipment from their friends.
Turns out, a $14.5 Billion budget can buy some mind-bendingly awesome cyber effects.
(comment deleted)
But why do have all these Intel ME, AMD PSP and ARM TrustZone / Secure Bootloader backdoors in all but RISC-V CPU's now, when they have to reboot poor stupid Jupiter, Cisco, Fortinet, and MikroTik devices? Oh, that's for the real enemies, the socialists. The ones with workers rights.
(comment deleted)
Facebook used to be known for their benefits & perks. Now it is known as San Quentin. I hope their top talent leaves in droves.
Iran clearly has tech/network/hacking capability, while also having unprecidented authority to just do ANYTHING while they do a litteral strategic reboot. Given that Russia and China,(others) are interested in closeing "bugdoors" as well, it is likely that new network systems and protocals will be imposed by these countrys.
Isn't that like saying they made use of projectiles during a shooting war? Color me shocked.
I wonder how much of the world now sees American and Israeli tech as security risk?
Which tech from what country isn’t a risk?

You think if, say, the French develop their own hardware they’re not going to backdoor it and sell it to other countries.

France already is the world’s second largest arms exporter.