NSA suspected in Juniper firewall backdoor mystery, but questions remain

Putting backdoors in encryption isn't looking like such a great idea, after Juniper, a major provider of security networking equipment, falls victim to a suspected nation-state attack.
Written by Zack Whittaker, Contributor

Security researchers suspect the US may have contributed in some way for the planting of "unauthorized" backdoor code in Juniper firewall technology.

Researchers believe that even if the National Security Agency wasn't directly to blame for inserting the backdoor code, it was at least helped along by creating a weakness in a cryptographic algorithm used in part by Juniper that allowed the attackers to strike. CNN said on Saturday, citing unnamed US officials, that it didn't believe the NSA was behind it, pointing to "the work of a foreign government." The FBI is currently investigating the attack.

But, if not the NSA, then whom? The jury is still out, with eyes on both allies, like the UK or Israel -- or frenemies of the state, like Russia or China.

Here's what we know.

Late last week, networking equipment maker Juniper announced in a security advisory warning that "unauthorized" code had been added to an operating system used in some of its firewalls. These enterprise networking devices are high-end apparatus, used by thousands of companies worldwide to protect their security perimeters.

The code, which appeared in numerous versions of ScreenOS since mid-2012, is said to "gain administrative access" and "decrypt VPN connections" by using secure shell (SSH), according to the advisory. That would allow a highly-skilled attacker to decrypt data that's flowing through the virtual private network (VPN) connection on the firewall.

Another flaw exists allowing an attacker to access and take over Juniper firewalls by using a hardcoded master password. Security firm Rapid7 posted the password on Sunday, lighting a fire under any security apparatus running the buggy code, with the hope of speeding up updates.

Rapid7 security researcher HD Moore said the code was "presumably chosen so that it would be mistaken for one of the many other debug format strings in the code."

In other words, the backdoor could appear like an innocent mistake to anyone looking.

Juniper said that it had no evidence that the flaws were being actively exploited. Nevertheless, the company patched the flaws and asked customers to update immediately. ScreenOS 6.2.0r15 through 6.2.0r18, and 6.3.0r12 through 6.3.0r20 are vulnerable to attack.

As many as 26,000 Juniper devices are connected to the internet, with a portion of those likely vulnerable to being exploited -- though, the total figure is not clear. As for how many companies are affected, that also isn't known.

There's some conflict in the security community over exactly who inserted the backdoor code. Whoever it was likely used it to simply watch or steal secrets and data. Juniper's mistake might have been trusting the government too much.

A detailed analysis of the code by security consultant Ralf-Philip Weinmann on his blog pointed to a encryption backdoor first used by the NSA more than a decade earlier. The NSA helped to create Dual_EC, a weakened algorithm purposed to help the government snoop. Security firm RSA also used the algorithm, leading to accusations of complicity with the NSA's surveillance. (Cisco said it will conduct a full code-review to ensure its devices are not vulnerable to similar backdoors.)

Security researcher Adam Langley said on his blog that Juniper used a backdoor algorithm but "changed the locks." The problem is, he added, "someone broke in and changed the locks again."

Matt Blaze, a security researcher and academic who spoke up in the mid-1990s when the US government was trying to include hardware backdoors, said on Twitter that using the algorithm is "the crypto architecture equivalent of putting your box of oily rags next to the fireplace."

In other words, nothing good can come from it.

"We're not sure that's actually what happened, but it seems like a reasonable hypothesis at this point," he said.

"Assuming this hypothesis is correct then, if it wasn't the NSA who did this, we have a case where a US government backdoor effort (Dual-EC) laid the groundwork for someone else to attack US interests," he concluded. That would likely be a nation-state attacker, according to Wired, such as the US or an allied nation, like the British or the Israelis. Worse, it could be the Chinese, said Weaver, according to the publication. The why is almost always clear, yet speculative and almost unimportant considering the wider circumstance: to gather information on targets to further national security or government policy.

What makes the "whodunnit" look more like the NSA is a program, dubbed FEEDTROUGH, which was designed to burrow into Juniper firewalls, enabling the NSA to implant other programs.

As reported by Der Spiegel in 2013 based on documents leaked to reporters by whistleblower Edward Snowden, US spies can "secure themselves a permanent presence in computer networks" and this has already been "deployed on many target platforms."

FEEDTROUGH targets were not named in the documents. Juniper's own website names dozens of companies, including DreamHost, the London Internet Exchange, Peer1 Hosting, Shutterstock, Symantec, and UK phone provider TalkTalk.

Wired reported on Friday that Juniper denied installing a backdoor of any sorts on its ScreenOS software. The report suggested that the "unauthorized" code found by Juniper may differ from what FEEDTROUGH documents describe.

But right now, there's no definitive way to tell.

Matthew Green, a cryptographic professor at Johns Hopkins, said in a blog post Tuesday that he suspects "some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional," who then "piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them."

He added: "The end result was a period in which someone -- maybe a foreign government -- was able to decrypt Juniper traffic in the U.S. and around the world."

One of the other little known operations run by the NSA was its CORESECRETS program, which effectively implanted spies in well-known companies to operate seamlessly while secretly working on behalf of the government. Could a Juniper employee have been behind the code implant?

"There's no evidence at all at this point," said Green in an email, but noted that "anything is possible."

"Juniper really needs to offer its customers an explanation," he said.

Editorial standards