Yesterday I began to try to fix an issue I’m having with my home gateway – a Cisco DPC3825 that has recently been identified as one of the nine Cisco home networking products that has a major security vulnerability. My attempts were thwarted by some pretty poor customer service from my internet provider, Rogers who suggested that it wasn’t a real problem and that I not believe what I read from unreliable sources (such as the freakin’ Cisco site and US-CERT)! This didn’t come from the people who answer the phones who can be forgiven for not being aware of everything – it came from higher level technical support.
This morning, I decided to go to Cisco to see if they have any wise words as to what I should do. Since Rogers seemed to not have a clue, I really have 2 issues to deal with:
- Get my device fixed. I understand the risks and am bothered by them.
- Ensure that the right people are aware of this issue and are working to fix it. From what I’ve read, exploiting this vulnerability is not too difficult. It’s also not too difficult to find large blocks of IP addresses of Rogers’ customers. If you spend some time reading our site and blog, you’ll probably have enough information to take down the internet for a very large chunk of Canadian households. A true Hack of Mass Destruction. I’m trying to avoid that.
I called Cisco Technical Support as is suggested in the Cisco security advisory. I didn’t have too much confidence that they’d be able to do anything because the advisory does say:
Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.
I actually rent my gateway from Rogers so I fall into this category. Of course, since Rogers was uninterested in helping me, I was stuck. I spoke with a woman named Dawn Marie at Cisco who was very friendly and eager to help. She was not aware of the issues with the device but did some searching and found information about it. I told her that I was a customer of Rogers, and that they were denying that any issue existed. She confirmed that this issue was very real. I told her that it was my belief that Rogers has deployed many of these affected gateways, and she said “yes, they have a lot of them.” And no, the emphasis is not mine, her voice was tinged with fear after reading the security advisory and understanding the severity of the problem along with Rogers’ non-action.
Unfortunately, she said that there was nothing that Cisco could do because I’m not a Cisco customer, but a Rogers one. If she gave me a new device it wouldn’t work on the Rogers network anyway since Rogers does do some customization before deployment. We both realized that this needs fixing, but we both unfortunately had our hands tied.
So is Rogers really doing nothing about this problem and will only take notice when large blocks of their customers mysteriously go offline? I don’t really know. Some have suggested that they’re working on a fix, but will deploy nothing until it has been thoroughly tested. I want to reject this idea because Cisco had a fix for the problem ready the day that they disclosed the problem. Certainly they didn’t write this fix overnight – they had to have spent some time making it ready. So why didn’t they work with their partners (e.g. the affected ISPs) to make sure they’d also be ready on Day-0? Hmmmmm. lots of questions, few answers.
If you’ve read this far, I do appreciate it. Can you help? Absolutely! Please share this with as many people as possible to help spread the word. Hopefully, someone with some knowledge will speak up.
Finally, I just wanted to say how happy I am to be a part of building RouterCheck – a tool to help ensure that security and privacy of people’s home networks. My experience with this issue that I’m dealing with simply reinforces the beliefs that I had when I first started RouterCheck – that fixing this major problem that’s been flying under the radar will only be done though grassroots efforts.