Two weeks ago, security researchers at Juniper Networks announced that they had found code, not their own, embedded into the operating system of their firewalls. This code had been in included in versions of the operating system dating back to 2012, and would allow a third party to access and decrypt secure communications that had had been allowed through the firewall’s VPN. Based on the nature of this vulnerability, it seems clear that it was implanted by a nation-state attacker.
Juniper immediately released a patch for this problem, but to be frank that’s closing the barn door after the horses have not only bolted, but also been shot and rendered into glue. If you’ve been communicating any secure or embarrassing information across a Juniper networks firewall for the last three years…oops? Not to mention the fact that if you don’t install this patch, chances are that any attacker, even a non-nation-state schmuck, will now be able to pwn your secure traffic.
Yes, security experts have almost immediately fingered the NSA as a likely culprit. However, probably not in the way you think. It is not known if the NSA specifically exploited this particular backdoor, but they did make it possible by championing an encryption standard known as Dual_EC. Without going into too much detail, Dual_EC has a deliberately inserted flaw. Revelations from Edward Snowden show that the NSA essentially made their own master password for this crypto standard, allowing them (but no one else) to decrypt secure communications that use it. Before these revelations came out, however, some of the largest companies in the industry–Cisco, RSA, and yes, Juniper Networks–all adopted this standard.
Juniper Networks is supposed to have phased out their use of Dual_EC entirely. In this case, they kept using Dual_EC in such a way that the “master password” vulnerability was obviated. However, one of three things appears to have happened:
- The NSA (or some other foreign power) hacked Juniper networks and fooled around with Dual _EC yet again.
- Juniper Networks kept using Dual_EC as a way to spy on their own customers.
- Juniper Networks are idiots.
Initial analysis by people smarter than myself suggests that a combination of 2 and 3 is most likely, but no one is ruling out #1. Given how the NSA and its sister agencies have been promoting legal backdoors for years now, it feels like the smoking gun for government hacking of US businesses is only days away.
[Post image via Shutterstock]