STE WILLIAMS

Yet another set of shivers is running up spines at Cisco, with a researcher from Grid32 claiming that “rooting” the company’s IOS firmware isn’t as hard as people think.

The issue of compromised firmware arose in August when the company first warned that its ROMMON firmware images could be replaced with a compromised version by a malicious admin.

The vulnerability, since dubbed “SYNful Knock”, has since been spotted in the wild, with Cisco working hard to identify embaddened boxen.

It’s been widely assumed the only reason SYNful Knock and similar attacks aren’t widespread is the arcane nature of firmware hacking – and that’s what Grid32’s Luka Balic has decided needs wider discussion.

In this paper (PDF), Balic says the idea that a firmware-based attack “involves advanced knowledge or nation state level resource” is a “common misconception”.

While the 32-page paper isn’t quite messing about with trivia, Balic reckons the work involved needs far, far less than such sophistication: “a week‘s worth of studying PowerPC assembly, a week‘s worth of studying disassembly, and about a week‘s worth of writing code and debugging time” is sufficient, he claims, for anyone with the basics of assembly language under their belt to create a firmware-based rootkit.

“Binary modification to the firmware of a Cisco device running IOS merely involves basic coding skills, knowledge of assembly language for the target architecture, a base level knowledge of disassembly, combined with time and interest”, Balic concludes. ®

Sponsored:
VersaStack at-a-glance brochure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/10/13/synful_knock_is_no_stuxnet_says_researcher/