NSA suspected in Juniper firewall backdoors

Security researchers suspect the United States' National Security Agency may have had a hand in the planting of unauthorised backdoors in Juniper's enterprise firewalls.

The network equipment vendor last week issued an urgent security alert for its NetScreen enterprise firewalls, after discovering "unauthorised code" in the device operating system that allows them to be fully compromised.

Juniper had discovered the code during an internal review. The backdoors - which had been in existence since 2012 - meant attackers could gain administrative access and decrypt VPN connections unnoticed.

Researchers have now said the backdoors could have only been planted by a handful of governments due to their sophistication. But it is unclear how the Juniper vulnerability was planted or by whom.

Juniper this week admitted to using the Dual_EC cryptography standard developed and promoted by the National Security Agency.

Microsoft researchers determined in 2007 that the standard was flawed because the output of its random number generator could be predicted, enabling the system's designers or others to break the encryption.

Many researchers believe files released by former NSA contractor Edward Snowden show the flaw was a deliberate effort by the spy agency to maintain eavesdropping capabilities.

Juniper developed an alternate standard, but it was still based on the flawed algorithm pushed by the NSA, which paved the way for the security hole detailed last week.

CEO of German security consultancy Comsecuris, Ralf-Philipp Weinmann, said it appeared the Juniper attackers tweaked an encryption backdoor previously believed to have been engineered by the NSA.

He said they exploited weaknesses in Dual_EC as well as a mistake Juniper make in configuring its VPN encryption scheme for NetScreen devices.

Weinmann said adding an extra line of code would have fixed the issue, but Juniper did not do so when it rushed out its patches last week.

He said the patch might not therefore actually fix the backdoor issue.

Security researcher Matt Blaze said labelled using the Dual_EC algorithm "the crypto architecture equivalent of putting your box of oily rags next to the fireplace".

"Assuming this hypothesis is correct then, if it wasn't the NSA who did this, we have a case where a US government backdoor effort (Dual_EC) laid the groundwork for someone else to attack US interests," Google software engineer Adam Langley wrote.

With Reuters