American networking powerhouse Juniper Networks says it will remove a piece of code from some of its networking devices that is believed to have been designed by the NSA and exploited by hackers to decrypt traffic protected by some of the company’s firewalls.
Last month, Juniper announced that it had discovered two pieces of “unauthorized code” in the operating system for its NetScreen line of firewalls. That code allowed a “knowledgeable attacker” to gain administrative access to the firewalls and to decrypt some traffic protected by them.
Security researchers analyzing Juniper’s code found that hackers — or perhaps a disaffected or cooperating Juniper employee — had altered a random number generator known as Dual_EC to allow the decryption of data that had been scrambled using the code. Security experts believe that change was made at the behest of a state intelligence agency in order to enable the surveillance of communications protected by strong encryption.
Now, Juniper says it will remove Dual_EC from the NetScreen firewall. In a blog post published late Friday, the company said it will replace Dual_EC with a random number generator used in another product line. After reviewing commentary by security experts — who have been deeply critical of Juniper’s use of Dual_EC — the company said it will make additional, unspecified changes to the firewall. The company refused to answer questions on changes it plans to make but said they would be made in the first half of 2016.
Dual_EC is thought to have been designed by the NSA with a backdoor to enable its own surveillance, and the change to Dual_EC effectively turned an NSA backdoor against the signals intelligence agency, Juniper, and the firm’s customers. Juniper’s clients include governments, major corporations, and academic institutions, and the change to Dual_EC compromised the security of the communications of millions of individuals. It is technically impossible to determine the extent of surveillance carried out using the Dual_EC change.
The ability to backdoor Dual_EC has been well-documented since 2007, and security experts have questioned why Juniper would use an algorithm capable of being subverted for surveillance purposes.
After announcing the existence of the backdoor on Dec. 20, Friday’s blog post is the first statement from Juniper on the security problems identified in its products. While the company has pledged to plug the security gaps, it has refused to release any technical details about the problem, and security researchers analyzing the backdoor have resorted to poring over patches issued by the company to understand the problem.
In the aftermath of terror attacks in San Bernardino and Paris, American political and law enforcement leaders have argued that the U.S. government needs greater access to encrypted communications. Some have argued that the government needs a backdoor into encryption system, but security experts argue that such a system would fatally compromise security systems used not just by terror groups but also millions of ordinary individuals.
Events at Juniper show how such backdoors can be exploited by malicious hackers. The existence of a backdoor perhaps designed for American spies made it possible for hackers to compromise a sophisticated security system.
Moreover, the backdoor presents a huge business risk for Juniper, whose customers may be questioning whether they can rely on the firm’s systems. Since the announcement of the backdoor, Juniper’s stock has slid 10 percent.
Sean Gallup/Getty Images