December 22, 2015
Tech giant Juniper Networks just found unauthorized code — essentially a backdoor — in the operating system running some of its firewalls. The hidden backdoor, found in versions of the company’s ScreenOS software dating back to at least August 2012, enable hackers to take complete control of Juniper NetScreen firewalls as well as decrypt encrypted traffic running through the Virtual Private Networks (VPN) on the firewalls. The FBI is investigating the breach, which appears to be the work of a foreign government.
Wired notes that Juniper’s discovery is exactly why security experts and companies such as Apple and Google “have been arguing against installing encryption backdoors in devices and software to give the U.S. government access to protected communication.”
“The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency like the British, the U.S., the Chinese, or the Israelis,” notes International Computer Science Institute/UC Berkeley researcher Nicholas Weaver.
Other concerns are that attackers secreted “a hardcoded master password,” enabling anyone else to take command of Juniper firewalls not yet patched, and that the hackers may be able to decrypt traffic running through the firewalls “by analyzing Juniper’s patches and figuring out how the initial attackers were using the backdoor to decrypt it.”
The hack will also infect any customer who purchased products with that version of the software.
According to CNN, Juniper sells its computer network equipment and routers to the Defense Department, Justice Department, FBI and Treasury Department, as well as big companies. U.S. officials say hackers “could use their access to get into any company or government agency,” and declare they are sure that “certain U.S. spy agencies” didn’t create the backdoor.
Juniper has issued an emergency patch, and Homeland Security officials are determining how many compromised systems are in use for U.S. government networks.
To those who think Juniper voluntarily installed the backdoors “for a specific government,” the company responded that, “we do not work with governments or anyone else to purposely introduce weaknesses or vulnerabilities into our products.”
Researchers Solve Juniper Backdoor Mystery; Signs Point to NSA, Wired, 12/22/15