Does the use of Cisco AnyConnect Secure Mobility Client cause additional privacy and security risks?



  • During the pandemic I work from home on my own devices via the employer’s VPN. I am aware of the usual privacy risks this represents for me.

    My employer used to provide a Server Address, Account Name, Password and Shared Secret to use its VPN. This could easily be configured using the operating system’s own networking capabilities on macOS or iOS.

    Recently my employer changed their policy and now requires the use of an opaque tool called “Cisco AnyConnect Secure Mobility Client” to establish VPN connections. Does this tool cause additional security or privacy risks for me when using it on my own devices?



  • Every piece of software that you install on your computer which does not provides the source code should be treated as potentially harmful. In the end, you are trusting (with Administrative privileges) an application to perform some changes in your system. In this case, the software creator is Cisco, which may be considered as a "Trusted" vendor because of its story, however as said, there is no way of actually checking everything that is going on under the hood unless the source code was provided or unless you were a skilled reverse engineer.

    Speaking about this specific software, we must not forget that every piece of software could have vulnerabilities and in the case of close source tools the process of discovering/fixing becomes a more daunting task. For example, let's have a look on this zero-day which stayed in the Anyconnect VPN software for 6 months: https://nvd.nist.gov/vuln/detail/CVE-2020-3556

    The likelihood of this scenario happening is unusual, although it is valid to bare on mind that even software apparently "Trusted" could have serious vulnerabilities.

    Therefore, your concern is correct it is also good to be cautious about what software you install, specially when that software is closed.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2