Security Now: Episode 1045 — News and Listener Views — 2.3 Million Cisco Devices Exposed

Date: October 1, 2025
Host: Leo Laporte
Guest: Steve Gibson

Episode Overview

This week, Steve and Leo tackle an eclectic set of current cybersecurity issues ("news and listener views") with deep dives into real-world vulnerabilities, user feedback, and emerging trends. The headline item is a critical SNMP vulnerability exposing over 2 million Cisco devices globally. Other topics include the evolution of browser privacy protections, recent changes to Windows 10 security updates, inexpensive TLS certificates, lessons from the Jaguar Land Rover ransomware catastrophe, viral privacy trade-offs in social networks, the challenges of enforcing digital age verification, and much more. The episode is also rich with community Q&A and pragmatic advice for security-conscious listeners.

Key Discussion Points & Insights

1. The State of SNMP and Cisco’s Major Vulnerability

[41:00 – 56:30]

• Background: SNMP (Simple Network Management Protocol), designed in 1988 as a "temporary" solution and never built with security as a priority. It operates via unencrypted UDP, often with default or weak authentication.
• Current Crisis: A stack overflow bug in Cisco’s iOS SNMP implementation (actively exploited, zero-day) exposes 2,303,370 devices globally ([54:45]). Over 2 million devices are internet-facing and discoverable via Shodan.
• Root Problem: Many Cisco routers publish SNMP on all interfaces, including the public internet, often due to default settings and the assumption that only professional network engineers configure them.
• Quote: "Any service that is turned on inside a Cisco device by default is available to all the device’s interfaces. Cisco iOS devices have no intrinsic notion of LANs and WANs. Those are all just interfaces, equal." — Steve [53:40]
• Advice: Immediately update Cisco iOS devices, shut off SNMP if not needed, and filter/bind SNMP access to LAN-only interfaces. Recognize the risk of legacy defaults.

2. Browser Privacy: Safari’s New Fingerprinting Protections

[27:54 – 37:57]

• Apple Update: iOS 26 and macOS now have advanced fingerprinting protection enabled by default for all tabs (not just private browsing). Safari standardizes/obscures high-entropy web APIs, effectively defeating most web tracking techniques.
• Testing Results: Steve tested Apple’s claims on EFF’s Cover Your Tracks: Safari on iOS 26 = "randomized fingerprint, strong protection" out of the box, beating both Firefox and earlier Safari versions.
• Noteworthy Advice: Users still on iOS 18 or older MacOS versions should manually enable "Advanced Tracking and Fingerprinting Protection" for all browsing.
• Quote: "Defaults are what matter... for everybody by default, Apple now has strong tracking protection enabled in iOS 26." — Steve [34:45]

3. Email Authentication & the GMail/Spam Debacle

[11:12 – 27:14]

• Incident: A sudden spike in GMail treating previously legitimate emails (including Steve’s mass mailings) as spam. The "Not Spam" button had no effect.
• Findings: Email spoofing of GRC.com was the culprit; DKIM and SPF were set up, but DMARC policy was not strict enough. Steve tightened DNS policies (strict alignment), eliminating the loophole.
• Lesson: Even correct DMARC/SPF/DKIM configurations may need continual tightening, and providers sometimes fail users (possibly buggy GMail behavior triggered the episode).
• Quote: "I think what happened last week was an anomaly on Google’s end... but I’m glad for this runaround because it did cause me to wonder why is Google thinking I’m sending any spam?" — Steve [25:10]
• Practical Tip: For email reputation and deliverability, verify strict policy alignment and use public tools like MX Toolbox.

4. TLS Certificate Trends—$6 Certs While Supplies Last

[74:41 – 81:30]

• Scenario: With free Let’s Encrypt certs and CAB Forum mandates for ever-shorter validity, traditional certs are nearing obsolescence for most use cases.
• Discovery: CheapSSLWeb.com sells DV certificates for as little as $6/year (two years for $12). Steve uses one for his revoked.grc.com demo site.
• Warning: Manual certificate management will cease to be practical after 2029, with validity dropping to just 47 days. Automation will be mandatory.
• Quote: "As long as you do it before March 15, you can make a certificate last 398 days. Then... reissue again for 200 days. Now you go 200 days and before that certificate expires, you need to get going with automation." — Steve [80:15]

5. Jaguar Land Rover Ransomware Catastrophe: Lessons for Enterprise

[81:30 – 91:57]

• Event: A Hellcat Group ransomware attack stopped all Jaguar factories for a month. The UK government underwrote a £1.5 billion loan due to the immense financial hit.
• Findings: Organizational network had flat, non-segmented architecture. No cyber insurance. Entire supply chain suffered: smaller suppliers risked bankruptcy.
• Lessons:
  • Modern threats make cyber insurance and proactive security non-optional.
  • Segmentation and least privilege should be standard.
  • Management decisions ignoring cyber-readiness can have economic fallout beyond the organization.
• Quote: "Today’s cyber threat landscape has truly and significantly increased the cost of doing business. You either pay in advance for protection... or pay after for post-attack ransoms and downtime." — Steve [89:51]

6. Privacy for Sale: Neon Social App’s AI Call Recording for Cash

[92:07 – 104:21]

• Headline: Neon becomes the #2 social app in Apple’s US App Store by offering to pay users (up to $30/day) to record and sell their phone conversations to AI companies for model training.
• Mechanics: 30 cents/minute for calls with other Neon users; aggressive marketing/referral system.
• Risks:
  • Users grant irrevocable license for all recordings—potential for deepfakes, voice cloning fraud, and more.
  • Lack of participant notification—legal and ethical concerns.
  • Sustainability of high payouts is questionable.
• Quote: "There is now some subsection of the market seemingly willing to exchange their privacy for pennies, regardless of the larger cost to themselves or society." — Steve [94:45]
• Personal Best Practices: Steve mandates secondary written confirmation for any financial instructions, recognizing the risk of targeted voice deepfakes.

7. Age Verification: State Laws and Technical Solutions

[112:29 – 124:49]

• Privacy Mess: BlueSky and others forced to comply with divergent state age laws. In states like Mississippi, all services are suspended; in SD, WY, and OH, only adult content requires verification.
• Technical Solution: BlueSky integrates Kids Web Services (KWS), a free Epic Games-owned parental verification platform, which already powers games like Fortnite. Supports various methods: credit card, facial scan, document ID, more.
• Larger Context: KWS is an interim fix. Long-term, the hope is for standards leveraging government-issued digital IDs (like state driver’s licenses) to assert age without full identity disclosure.
• Quote: "I think what we need is states to widely adopt digital licenses... and then allow your phone to assert your age to a third-party website...without identifying who you are." — Steve [124:41]

8. Ollama LLM Instances Exposed on the Internet

[125:07 – 130:17]

• Finding: Security company Censys found over 10,600 public instances of the Ollama AI tool, often due to user misconfiguration (intended for localhost only).
• Risk: Instantly accessible, no authentication; easy vector for abuse.
• Advice: Never bind such LLM/AI tools to public interfaces. Always leave default binding to localhost unless behind robust authentication/firewalls.
• Quote: "If you make it public, everybody else has access to it. Crazy." — Steve [130:13]

9. Listener Q&A Highlights

• [136:46 – 164:00+]
• Memory Tagging Extensions (MTE)/ARM Security: Modern Android chips (Cortex with MTE) do support memory tagging; Apple’s extended implementation (MIE) is unique, always-on, and more robust, explaining why iOS is ahead in exploit resistance.
• Passkeys: Useless Complexity?: Listener Mick Fink describes how Microsoft’s passkey implementation is, in practice, more convoluted than old password flows—often requiring multiple device switches and re-authentication steps. Leo notes it's smoother with Bitwarden/passkeys except on some edge-case sites like Amazon and GitLab.
  • Steve: "Don’t use [passkeys] unless you need super security or unless the workflow is as easy as your current password manager/browser combination."
• Age Verification: Whose Responsibility?: Listener Chris Forester speculates that OS-level user accounts with age attestation could shift the burden to individuals, akin to liquor cabinets at home: only the adult account gets access, with penalties for abuse.
• Browser Localhost Blocking: UBlock Origin allows blocking of browser access to localhost, adding a layer of defense against web apps probing local resources (like exposed Ollama instances).
• ZeroPatch as ESU Alternative: Businesses paying for Microsoft’s ESU (Extended Security Updates) for Win10 may find ZeroPatch cheaper, as it supplies in-memory patches beyond official MS support periods.

Notable Quotes & Moments

• "SNMP is and has always been a security disaster. If SNMP is not actively needed and in use, its service should never be running." — Steve [51:58]
• "A stack overflow that's present inside all of those routers’ SNMP packet processing is exposing those devices to now an actively exploited zero-day. Patches available. Doesn't matter." — Steve [55:26]
• "What Apple has done: for everybody by default, strong tracking protection enabled in iOS 26. That's what matters—defaults." — Steve [34:45]
• "You can get $6/year legitimate certs—while they last. But after 2029, you won’t be able to manually manage certificates anymore." — Steve [80:12]
• "Cyber threats have truly and significantly increased the cost of doing business. You pay up front for prevention and insurance, or in ransoms, downtime, and reputational harm after." — Steve [89:51]
• "There's now a market for selling your phone calls for AI training. People are willing to trade their privacy for pennies." — Steve [94:45]
• "We desperately need standards for digital age verification. In the meantime, third-party things like KWS are the stopgap." — Steve [123:40]
• "Defaults are what matter... for everyone by default, Apple now has strong tracking protection enabled in iOS 26." — Steve [34:45]

Timestamps for Key Segments

• Feedback Chaos and Gmail Spam Issues: [11:12 – 27:14]
• Safari’s Fingerprinting Protections: [27:54 – 37:57]
• Cisco SNMP Zero-Day Exploited: [41:00 – 56:30]
• Windows 10 ESU Updates & EU Law: [56:30 – 74:41]
• TLS Certificates: How Cheap, How Long: [74:41 – 81:30]
• Jaguar Land Rover Ransomware Fallout: [81:30 – 91:57]
• Social App Neon Sells User Calls: [92:07 – 104:21]
• BlueSky & Age Verification, KWS: [112:29 – 124:49]
• Ollama LLMs Exposed: [125:07 – 130:17]
• DNS Benchmark Release Candidate News: [130:26 – 131:38]
• Listener Q&A (Passkeys, MTE, Blocking Localhost, etc.): [136:46 – END]

Final Thoughts

Steve emphasizes that defaults matter more than advanced features—for security to be effective, it must work for the average user, out of the box. The episode is full of practical, actionable advice and cautions for both end-users and IT professionals, especially around the lingering risks of old protocols (SNMP!), headline privacy tradeoffs, and the need for vigilance—and clarity—in both regulation and technical safeguards.

(End of summary)