lolloj - Fotolia
Tech buyer rights raised in Cisco vulnerability
The seriousness of the Cisco vulnerability, Thrangycat, raises the question of tech buyers' rights when dealing with such a serious flaw in a vendor's hardware.
A network vulnerability as hard to fix as the recently disclosed Thrangrycat flaw in 150 varieties of Cisco switches and routers raises the question of a tech buyer's rights when repairing a potentially destructive defect.
Fixing the Cisco vulnerability, which a hacker could exploit to take down a network, carries the risk of making the hardware unusable. The vendor has said it would replace a product destroyed in the patching process.
"If an affected product becomes unusable and requires a hardware replacement, it will be replaced according to the terms of the customer's support contract or warranty," Cisco said in a statement emailed last week.
However, an expert for management consulting firm Avasant said tech buyers could sometimes get defective hardware replaced, even if product warranties and maintenance contracts have expired. A lot depends on whether the flaw was due to a vendor's faulty design.
"If the thing that they put in in the first place had a design flaw, then that would imply more risk [to the vendor]," said Ravi Mahalingam, general counsel for Avasant, based in Los Angeles. Another condition that could favor the buyer is whether the supplier knew -- or should have known -- that the defect existed.
Vendors face fewer risks with software patches
Contracts used when purchasing network hardware typically list the device's specifications and guarantee it will operate in a customer's network as promised. The product also comes with a warranty, and companies will often buy a support and maintenance contract from the vendor or reseller.
Maintenance typically includes patches for software vulnerabilities, which carry less risk to the seller than a design flaw in a product. As long as the vendor doesn't try to hide a bug and releases a patch as quickly as possible, then the repair process is seldom controversial, even if multiple code releases are needed to fix a problem.
"[Even] in that situation, I don't think that there's a huge liability risk," Mahalingam said. "The window for that risk is limited, and you've done the best effort possible to fix it."
Researchers at Red Balloon Security, which specializes in securing industrial devices, found the Cisco vulnerability in a semiconductor component, called a field-programmable gate array. Fixing the flaw requires someone with the skill to reprogram the FPGA, which is the heart of Cisco's Trust Anchor module. The component authenticates software before allowing it to boot in a switch or router.
Reviewing support contracts
Tech buyers who want maximum protection against product defects should keep support and purchase contracts organized and accessible and maintain a paper trail of all contacts with vendors. Businesses should also keep support contracts active.
"The things that clients can do are, in a sense, fairly obvious, but they're often overlooked," said Aaron Polikaitis, who conducts IT sourcing research at IDC. "There's been a significant underinvestment in those areas."