In a development sure to affect the ongoing debate over encryption, one of two backdoors revealed in Juniper Networks’ firewalls last week was made possible by the use of a cryptographic algorithm that was purposely weakened by the National Security Agency.
“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” wrote Juniper CIO Bob Worrall in a security announcement. “At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.”
Of the two backdoors that were found, one gives the attacker full administrative access to the Juniper firewall by allowing logins from any user ID with a password incorporated in the unauthorized code. The VPN backdoor allows a passive eavesdropper to decrypt VPN traffic undetected, while the remote access backdoor “allows an attacker to bypass authentication in the SSH and Telnet daemons,” according to H.D. Moore, chief research officer at security analytics firm Rapid7. “A quick Shodan search identified approximately 26,000 Internet-facing NetScreen devices with SSH open.”
Of greatest concern is the role of the discredited Dual_EC pseudo-random number generator algorithm; the Snowden revelations in 2013 showed that the NSA had inserted a backdoor into the Dual_EC algorithm.
While the remote access authentication backdoor is bad, according to Matthew Green, assistant professor at the Johns Hopkins University Information Security Institute, the passive VPN backdoor is much worse, because the backdoor already existed in the Juniper code before the unauthorized code was added.
“To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge,” Greene wrote in a blog post. “They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world.”
Despite the National Institute of Standards and Technology warning against using the flawed algorithm in July 2015, Juniper announced it would continue to use that algorithm in its ScreenOS software. “ScreenOS does make use of the Dual_EC_DRBG standard, but is designed to not use Dual_EC_DRBG as its primary random number generator,” the company wrote in a product information update. “ScreenOS uses it in a way that should not be vulnerable to the possible issue that has been brought to light.”
Despite the backdoor vulnerabilities coming to light, questions still remain about how the unauthorized code was inserted into the ScreenOS software, and who was exploiting the Juniper firewall and VPN backdoors. Worrall said Juniper immediately launched an investigation into the matter, though the company has not divulged any further information. But with renewed calls from law enforcement agencies and politicians for backdoors to encryption technology, the Juniper revelation suggests that purposefully weakening encryption could have dangerous consequences.
“Many of us hardcore technologists in the corporate sector have been warning the government for years — sometimes decades — about the hazards of backdoors like the one recently exploited in Juniper’s products,” said Gary McGraw, CTO of Cigital. “Engineering a product to be secure is hard enough without intentionally designing in an Achilles’ heel.”
“FBI Director Comey’s stance is wrong,” McGraw said. “If we want real security, we must properly build security in, without breaking it on the whiteboard.”
Find out more about the flawed encryption algorithm blamed for the Juniper backdoor.
Learn more about NSA’s history of involvement with possibly flawed encryption algorithms.