US Congress to probe Juniper backdoor

A US congressional probe into the impact of a backdoor in Juniper Networks enterprise firewalls will examine the possibility that it was initially altered at the behest of the National Security Agency.

The House Committee on Oversight and Government Reform this month sent letters asking some two dozen agencies to provide documents showing whether they used Juniper devices running ScreenOS software.

The company said in December ScreenOS had been compromised by a backdoor in the software.

Rep. Will Hurd, a Texas Republican who heads the committee's technology subcommittee and formerly worked for the Central Intelligence Agency, said his initial goal in pursuing the probe was to determine whether government agencies, many of which use Juniper gear, had been compromised by the hackers.

But Hurd, a key player in the investigation, said the committee would also probe the origins of the breach. If it turns out that a backdoor was included at a US government agency's request, he said, that should help change the policy debate.

The earliest Juniper backdoor identified by researchers used a technique widely attributed to the NSA. 

The NSA did not respond to a request for comment. Juniper declined to comment.

US law enforcement and intelligence agencies have long lobbied in vain for legislation that would require technology companies to provide backdoors in equipment that use encryption technology. They say they need such access to conduct authorised wiretaps and other types of surveillance. 

The technology industry has fiercely opposed any such policy, arguing that backdoors could be exploited by criminals or foreign intelligence services.

"How do we understand the vulnerabilities that created this problem and ensure this kind of thing doesn't happen in the future?" Hurd said.

"I don't think the government should be requesting anything that weakens the security of anything that is used by the federal government or American businesses."

Juniper said in December it had found two unauthorised pieces of code inserted into its ScreenOS operating system that would have allowed whoever planted them to read email sent over virtual private networks.

After outside researchers picked apart the software patches Juniper issued to fix the problem, they concluded that one backdoor had been inserted in 2014 and one in 2012. The 2012 version, though, merely changed the formulation of a piece of software known as a random number generator, which is part of most encryption products.

The random number generator used in the Juniper products, known as Dual Elliptic Curve, has long been suspected by security professionals to contain a backdoor engineered by the US National Security Agency. Those suspicions were largely confirmed by leaks from former agency contractor Edward Snowden.

Juniper said this month it would remove Dual Elliptic Curve entirely in future versions of its products.

The NSA is a logical suspect for the 2008 code insertion, said security researcher Nicholas Weaver of the International Computer Science Institute, while the offenders in both 2012 and 2014 are more likely to have been other countries.