If the Shadow Brokers' leak of NSA files is legit, as is now all but confirmed, they have offered a glimpse into how the intelligence agency exploited security systems created by American tech vendors. And one of the vulnerabilities has offered proof of just how the US' finest digital spies were able to snoop on encrypted communications, in particular those provided by Virtual Private Networks (VPNs).
The weakness resided in Cisco's PIX product, discontinued back in 2009, according to an analysis by London-based security researcher Mustafa Al-Bassam. The so-called BENIGNCERTAIN exploit dropped by the Shadow Brokers was not dissimilar to the infamous Heartbleed hacks of 2014: the snoop would send specially-crafted requests to a Cisco PIX server - in this case what's known as an Internet Key Exchange (IKE) packet - that would cause the device to dump pieces of its memory. Keep doing that and eventually the hacker could get the passwords for the PIX devices. The firewall could then be hacked.
As PIX firewalls were used to run VPNs using a protocol called IPSec, any organizations using the Cisco product for such supposedly-secure communication could have been spied on by the NSA with apparent ease. Al-Bassam gave the vulnerability a cute name to boot: PIXPocket.
The history of IPSec VPNs is littered with remote code execution vulnerabilities for over a decade. If you use IPSec, assume you're pwned.
— Mustafa Al-Bassam (@musalbas) August 19, 2016
Though Al-Bassam wasn't able to test the exploits on a real Cisco firewall, others were. Researcher Brian
A Cisco spokesperson said: "There is not a current PIX version to evaluate or update, and PSIRT has confirmed for me that the investigation so far has not identified any new vulnerabilities in current products related to the exploit you mention." The spokesperson also pointed FORBES to the company's end-of-life policy.
But whilst Cisco stopped selling PIX kit in 2009, many are believed to still use the tool. Using Shodan, a search tool for internet-connected devices, it was possible to find more than 2,000 servers just entering "PIX". Many appeared to be Cisco products.
Even if few PIX tools remain in use, according to Al-Bassam, the leak would indicate that between 2002 and 2008, the NSA was able to break Cisco security. "Rewind a little bit and you had the biggest governments and businesses on PIX, and an intelligence agency potentially with a command line tool to get access. And nobody even understands how. That is crazy," said British malware researcher Kevin Beaumont.
"The Snowden files made reference to the NSA having VPN access... I think we may know how finally."
NSA owns VPNs
Edward Snowden leaks previously showed just how keen the NSA was to expose encrypted comms and how successful it was in cracking VPNs open.
As noted in a Der Spiegel article from December 2014, the NSA claimed an astonishing rate of success against VPNs. By late 2009, the same year Cisco discontinued support for PIX, the agency was processing 1,000 requests an hour to decrypt VPN connections. It expected to be doing 100,000 per hour by the end of 2011.
Though documents indicated the NSA was more than capable of breaking VPN encryption, the BENIGNCERTAIN leak has provided the first evidence of just how the agency could do it.
Cisco isn't the only vendor affected by the Shadow Brokers' escapades: rival
The NSA had not responded to requests for comment regarding the leak.
