|
|
|
|
|
|
by elmo2you
2541 days ago
|
|
|
While that observation might be true (I doubt it will change Open Source, nor is it a new problem), what's the security issue in this particular case? Cisco adding an already compromised (it's on GitHub) private key to their firmware, which sure isn't a smart thing to do. But the only security issue I could see here is that somebody could use it to create a "secure" outbound connection from a Cisco device, that just isn't secure at all (because anyone has access to the private key). |
|
|
But no-one at Cisco seemed to be aware of it until alerted, and it was discovered by a product team looking specifically for IoT security vulnerabilities. It's clear that Cisco aren't auditing their third-party dependencies thoroughly. It could easily have been a vulnerability. They got lucky.
And yeah, it's not a new problem, but there does seem to be growing awareness of it, which is both good (because a solution will be found), and bad (because the bad people will be more aware of the opportunity).