Cisco Confirms Source Code Theft, Downplays Threat

"Cisco is aware that just prior to last weekend, a portion of Cisco's Internetworking Operating System [Cisco IOS] code was illegally copied and subsequently posted on the Internet," according to a security update, dated Wednesday, on the company's Web site.

Citing preliminary findings, Cisco downplayed potential security threats to customers, noting that the "improper publication of this information does not create increased risk to customers' Cisco equipment."

While the code was illegally copied and "taken outside of Cisco's internal systems," the breach apparently was not a result of the exploitation of vulnerabilities in Cisco products or services offered by to its customers or partners, the company said.

The San Jose, Calif.-based company also said it has no reason to believe that the code theft was initiated by any Cisco employee or contractor.

Cisco Monday said it was investigating a possible source code theft after a Russian-language Web site, SecurityLab.ru, reported on Saturday that as much as 800 Mbytes of code from version 12.3 of Cisco IOS was stolen from the company.

The networking vendor has yet to confirm how much of the code was stolen.

Some pieces of the Cisco source code were posted online for several days but have subsequently been removed, the Cisco update said.

Cisco continues to investigate the theft with the assistance of the Federal Bureau of Investigation.

Some solution providers said they have been fielding calls from Cisco customers concerned about the security of their systems. For the most part, however, concerns are premature that hackers could use to code to infiltrate Cisco gear, solution providers said.

"My security team feels that, based on their latest research, this theft will not pose a serious threat to customers," said John Freres, president of Meridian IT Solutions, a Schaumburg, Ill.-based solution provider.

Other solution providers agreed.

"The [code] that has been posted is for IPv6, which nobody uses. If they have more stuff than that, there is some concern that that could open Cisco's gear up to exploit, although given the multilayered approach to security, people are skeptical that much would come of it," said Pat Scheckel, Cisco practice director at Berbee Information Networks, a solution provider based in Madison, Wis.

Others said they are confident Cisco would move quickly to patch any vulnerabilities exposed by the theft.

"Obviously there are security implications if the source code gets out, but Cisco is a company that would take steps to mitigate any risks," said Mark Theoharous, CEO and founder of Burwood Group, a solution provider based in Chicago.

Solution providers were more concerned about the possibility that Cisco's competitors could get a peek into the secret underpinnings of the company's technology.

"That's the biggest threat, the intellectual property side of this," said Ugur Koser, CTO of AAC, a solution provider based in Vienna, Va.

In general, solution providers said the best thing customers can do to protect themselves from potential security threats is to keep their updates and patches to IOS current.

"There's not much you can do right now. Just relax and make sure you're up to date," Koser said.