Juniper Networks' backdoor: it's not China, it's the US, suggest researchers

Finger of blame pointed at - guess who? - the US National Security Agency (or maybe GCHQ)

Security researchers claim that the US National Security Agency (NSA) is most likely responsible for the "unauthorised code" found in Juniper Networks' ScreenOS-based firewalls - not China.

That is the claim of Ralf-Philipp Weinmann, founder and CEO of German security research company Comsecuris, who suggests that the NSA is either directly or indirectly responsible for the security breach.

According to Weinmann, the code found in ScreenOS was a re-purposed decryption backdoor believed to have been created by the NSA. Weimann published his findings in a technical blog posting last night.

Whoever was responsible for the breach exploited weaknesses that the NSA had, according to the leaked Edward Snowden documents, placed in an encryption algorithm called Dual_EC, which Juniper deployed to encrypt VPN traffic traversing its NetScreen firewalls. However, Juniper's engineers also mis-configured the technology. This enabled the attackers to exploit the weaknesses inherent in Dual_EC, which have been widely known for the best part of a decade.

In the 2000s, the NSA, according to the Snowden documents, were aware of weaknesses in Dual_EC and covertly lobbied for its inclusion into encryption standards.

Weimann claims that adding an extra line of code ought to have fixed the issue, but that Juniper did not do this when it rushed out its patches last week. Weimann suggests that the patch, therefore, may not fix the backdoor once and for all.

While the finger of blame is now being pointed in the direction of the US National Security Agency, US officials anonymously quoted on news reports when the story broke denied that the US was behind it. However, the unauthorised code could equally have been placed on the routers by GCHQ or Israeli intelligence - and used by the NSA in its surveillance and eavesdropping operations.

Given that the NetScreen technology is maintained at Juniper's Beijing, China research and development facility, it had been conjectured that the code was compromised by someone working there, almost certainly on behalf of Chinese intelligence.

But either way, the incident underscores why technology devices should not have built-in backdoors mandated by national governments on the grounds of national security - because the users don't know who could be making use of such backdoors and compromising their security.

The unauthorised code in the ScreenOS firewalls is believed to have been present since August 2012, and enables attackers to take control of the firewalls and even to decrypt VPN traffic passing through Juniper's NetScreen firewalls.

Juniper's firewalls are particularly popular in the Arab world, where the main alternative firewall technology from Check Point Software is eschewed because Check Point is Israeli.