CISCO makes much of the equipment that runs and secures the Internet. Snowden’s leaks already disclosed that the NSA has complete access to CISCO gear, including the ability to install software modifications.
Now we know how for at least some devices. A little boring technical stuff. SSH is the main tool used to connect remotely to devices on the Internet. There are several ways to prove to the remote device that it should let you in. The simple method is sending a userid and password. For many situations, that is impractical. For example, I frequently connect the test machine to the production machine in Texas. If I was using passwords, I would have to constantly type the password (risking someone watching my keyboard) or “hard code” the password somewhere.
A better alternative is a public/private key exchange. Both computers have a secret private key and a public key. You can’t derive my private key if I give you my public key. But if you take my public key and combine it with your private key, the resulting key establishes beyond any reasonable doubt that both ends know who the other end is. Someone recording the exchange of keys still cannot derive a private key or be able to masquerade as a real device.
What CISCO just admitted is every device in their advisory has a hard coded key for its support responsibilities. This allows anyone with knowledge of that private SSH key for CISCO support to connect to the device as an authenticated user. All if takes is for CISCO to provide that key to government agencies, or a hacker or ex-employee to find and leak the private key, and every internet connected CISCO device affected is vulnerable to complete remote control by unknown remote persons.
If Snowden doesn’t get a Nobel Peace Prize, the award has no meaning