Skip to main content

Internet of Things? Cisco can’t cope with securing the things we have already

Yet another widespread security threat has emerged, one that affects thousands of pieces of networking hardware, once again with Cisco's name attached.

Yesterday, the networking giant pushed out several patches to fix security vulnerabilities in some of the most popular wireless LAN controllers deployed in many small-to-mid-sized businesses. The controllers manage connected access points, among them Cisco's line of Aironet access points, which are mentioned in Cisco's security bulletin as hardware that is also susceptible to being compromised.

The security fixes address two critical vulnerabilities: The ability of a hacker to flood networks which have this hardware deployed with denial-of-service attacks (potentially bringing a business network to a dead stop); and giving an attacker "unauthorised, privileged access to the affected device."

Just last month, we had reports of the "Moon Worm" threat affecting Cisco Linksys-branded routers (equipment made before Belkin bought Linksys). Cisco-branded Linksys routers for consumers and small businesses, including the E4200, E3000, and E1200 were discovered vulnerable to a worm that "connects to port 8080 and uses the Home Network Administration Protocol (HNAP) to identify the make and firmware of the compromised router. It then exploits a CGI script to access the router without authentication and scan for other vulnerable boxes."

While Cisco has been responsive and patched the threats, they come as the company is making a huge push for the "Internet of Things." At this year's CES, CEO John Chambers made clear that Cisco's direction is very much towards IP video and Internet/network-connected everything.

Chambers spoke enthusiastically of a world where every gadget and household item is IP-enabled and connected. He spoke of scenarios such as smart shopping carts that would personalise your shopping experience, and Internet-connected street lighting to help reduce crime and serve double-duty as electric car chargers.

And it wasn't just Cisco banging loudly on the "connected everything" drum. At a CES panel on the future of the wireless industry, four leaders in the space – Ericsson's Arun Bhikshesvaran; Scott Pomerantz, a Broadcom senior vice president and general manager; Derek Peterson, senior vice president of Engineering for Boingo; and Edgar Figueroa, the CEO of the Wi-Fi Alliance – spoke with just as much vigour about a connected world.

During the session, I asked Pomerantz how wireless companies were assuring customers about the security of a connected world? He answered rather sharply, insisting that the industry wasn't pushing – the Internet of Things is what the public wants.

That may be true. However, I also don't want my credit cards or bank account hacked because I have some freaking high-tech IP-enabled toothbrush that transmits my gum health to my dentist.

Networking vendors and the wireless industry must do a better job assuring us that they are doing everything they can to keep our privacy and data safe even as they bombard us with utopic visions of a connected world. Almost daily news of discovered vulnerabilities in equipment that's been around for years and should be safe really doesn’t help to assuage our security fears.