Cisco’s PIX firewalls older than PIX 7.0 have known exploitable vulnerabilities. VPN traffic running through this firewalls are not secure. It’s not the NSA that you need to be worried about, it’s the criminals who can now make use of this vulnerability that you need to protect against.
Information provided by ex-NSA contractor, Edward Snowden, has revealed the extent of NSA’s eavesdropping on Cisco firewalls. Although many suspected this for years, the resolution of their picture just got an upgrade.
An analysis of a hack by NSA’s hacking unit, Equation Group, shows that the NSA used a specialized tool called BenignCertain that exploited a vulnerability in the way Cisco’s firewalls implemented its Internet Key Exchange. Through this exploit, the NSA was able to penetrate, monitor and read data from a what-was considered to be a secure private network.
Confirming the vulnerability, Cisco has said an exploit using the attack can compromise multiple versions of its old PIX firewalls, whose support ended in 2009.
The vulnerability does not affect PIX 7.0, Cisco’s updated Adaptive Security Appliance. However, security experts are however not impressed by this fact since, as pointed out by Ars Technica, more than 15,000 networks are still using the old PIX firewall and are thus vulnerable to attack.
The problem is not specific to just Cisco’s routers, other firewalls too have comparable security flaws, which only means that there is the very real possibility that the NSA might have exploited them to snoop in on supposedly-secure VPN traffic.
What makes the situation even worse is that, the breach by the Equation Group can now be used for any wanna-be hacker. Surveillance by the NSA is one thing, being surveyed by criminals is something totally different.