Cisco Pulls A Tim Cook; Buy Grandma A New Router
We All Replace Our Routers Frequently, Right?
There are four small/medium business routers which were made by Cisco, as recently as five years ago, which have a flaw in their password validation algorithm. If leveraged, an attacker can use it to access the device’s IPSec VPN without needing any of that pesky authentication most people expect is required to do so. Indeed it gives full administrative access to the that portion of the router, and once they have control of the VPN then they can wreak all sorts of havoc.
Cisco will not be patching this.
Their reasoning is that the kit is old, the most recent reaching EOL this year and so Cisco feels justified in no longer supporting the four effected routers, even though some continued to be sold after their official EOL. Those four models are the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router.
There is a small problem in is that the majority of medium and small businesses, not to mention your ISP, do not upgrade their routers on any sort of schedule apart from replacing broken ones. How old is the one your ISP provided, and when is the last time you upgraded any routers you might have in addition to it? This sort of planned obsolescence is bad enough in a smart lightbulb, but for the hardware VPN you depend upon to provide security to be treated the same by it’s manufacturer is rather worrying.
Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers.
More Tech News From Around The Web
- AMD admits its Ryzen mobile naming scheme is a mess, promises to clean it up @ The Register
- Logitech’s Webcam Software is a Mess @ Slashdot
- GIFShell attack creates reverse shell using Microsoft Teams GIFs @ Bleeping Computer
- Apple updates its AppleCare+ support service to offer unlimited repairs @ Ars Technica
- Apple debuts iPhone 14, Watch 8, other sparkly things @ The Register
- As Ex-Uber Executive Heads To Trial, the Security Community Reels @ Slashdot
- Horrifying Woman Keeps Appearing In AI-Generated Images @ Slashdot
- Meta found guilty of flouting Washington political ad laws – again @ The Register
- Intel QuickAssist in Ice Lake Servers What You Need to Know @ ServeTheHome
- The cheap Chromecast is rumored to also upgrade to Google TV @ Ars Technica
- Tim Cook Says ‘Buy Your Mom an iPhone’ If You Want To End Green Bubbles @ Slashdot
- Hackaday Prize 2022: Otter Force One Protects Kelp Forests By Sucking Up Sea Urchins @ Hackaday
- Intel, Broadcom show off interoperable Wi-Fi 7 kit @ The Register
- ADSL Router As Effects Pedal @ Hackaday
- TP-Link Deco XE75 and XE75 Pro Mesh Wi-Fi 6E System @ Tweaktown
- Netatmo Smart Outdoor Camera With Siren Review @ NikKTech
When a company is that quick to abandon their products, it is best to avoid all of their security related products.
beyond that, it is shocking to see that they are providing less aftermarket support than cheaper mass market consumer routers targeted at budget focused consumers. For example, consider how when a security issue was found impacting multiple consumer routers, Netgear patched around 61 different models going back over 13 years, most were discontinued models.
Overall, this short sighted greed will cost Cisco greatly in the future, especially considering that when a security issue impacts a number of different devices due to the the same flaw, then porting the patch to other models is not very hard. Even if the device is EOL, patching it makes for a lot of good will that improves consumer confidence.
Cisco has always been the king of planed obsolescence