Cisco calls in the lawyers over Black Hat hack

Cisco Systems has taken legal action to keep a researcher from further discussing a hack into its router software.

The networking giant and Internet Security Systems jointly filed a request on Wednesday for a temporary restraining order against Michael Lynn and the organisers of the Black Hat security conference. The motion came after Lynn showed in a presentation how attackers could take over Cisco routers - a problem that he said could bring the internet to its knees.

The filing in US District Court for the Northern District of California asks the court to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS", said a Cisco spokesman.

The spokesman added: "It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual property rights."

Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, said the spokesman.

The legal moves came on Wednesday afternoon, only hours after Lynn gave the talk at the Black Hat security conference in Las Vegas. Lynn told the audience he had quit his job as a researcher at ISS to deliver the presentation, after ISS had decided to pull the session. Notes on the vulnerability and the talk, "The Holy Grail: Cisco IOS Shellcode and Remote Execution", were removed from the conference proceedings, leaving a gap in the thick book.

Lynn outlined how to run attack code on Cisco's Internetwork Operating System by exploiting a known security flaw in IOS. The software runs on Cisco routers, which make up the infrastructure of the internet. A widespread attack could badly hurt the internet, he said.

The actual flaw he exploited for his attack was reported to Cisco and has been fixed in recent releases of IOS, experts attending Black Hat said.

The ISS research team, including Lynn, on Monday decided to cancel the presentation, Chris Rouland, chief technology officer at ISS, said in an interview. "It wasn't ready yet," he said. Lynn resigned from ISS on Wednesday morning and delivered the presentation anyway, Rouland added.

Lynn presented ISS research while he was no longer an employee, Rouland said.

Adding to the controversy, a source close to the Black Hat organisation said it wasn't ISS and Lynn who wanted to cancel the presentation but Cisco. Lynn was asked to give a different talk, one on voice over Internet Protocol security, the source said.

But ISS' Rouland said there "was never a voIP presentation" and that Wednesday's session was supposed to be cancelled altogether.

"The research is very important, and the underlying work is important but we need to work with Cisco to determine the full impact," Rouland said.

Cisco was involved in pulling the presentation, a source close to the company said. The networking giant had discussions with ISS and they mutually agreed that the research was not yet fully baked, the source said.

The demonstration on Wednesday showed an attack on a directly connected router, not a remote attack over the internet. Rouland said: "You could bring down your own router but not a remote one."

One Black Hat attendee said he was impressed with Lynn's presentation. Darryl Taylor, a security researcher, said: "He got a shell really easy and showed a basic outline how to do it. A lot of folks have said this could not be done, and he sat up there and did it." "Shell" is a command prompt that gives control over the operating system.

The Cisco spokesman said Lynn's presentation did not disclose information about a new security vulnerability or new security flaws. "His research explored possible ways to expand the exploitation of existing vulnerabilities affecting routers," he said.

Cisco has patched several flaws in IOS over the past year. Last year, the San Jose, California, networking giant said that part of the IOS source code had been stolen, raising fears of more security bugs being found.

On Wednesday, the Cisco spokesman reiterated the company's usual advice that customers upgrade their software to the latest versions to mitigate vulnerabilities.

Following his presentation, Lynn displayed his resume to the audience and announced he was looking for a job. Lynn was not available for comment. Representatives of the Black Hat organisation said the researcher was meeting with lawyers.

Joris Evers writes for CNET News.com