When the NSA Is a Hacker’s Best Friend

Clinton and Trump want Silicon Valley to make it easier for the government to eavesdrop. An NSA gaffe that harmed a leading networking company shows how dangerous that could be.

Photo via Getty Images News
Photo via Getty Images News

To hear Hillary Clinton tell it, giving law enforcement officials access to encrypted communications represents one of the great national security challenges of our time. Asked about allegations that the terrorists who hit Paris used encrypted communication tools to plan their carnage, Clinton argued that the government needs an easier way of monitoring militants’ communications.

“A Manhattan-like project,” Clinton said in a debate last weekend, “would bring the government and the tech communities together to see they’re not adversaries. They’ve got to be partners.”

Other presidential candidates have been far more blunt in their demands that the private sector make it easier for the government to monitor encrypted communications. “We should be able to penetrate the Internet,” Republican front-runner Donald Trump declared during a national security-focused CNN debate this month.

But amid the raging emotions of the current presidential election cycle, a major breach at the U.S. networking giant Juniper Networks has exposed what the candidates have so far refused to acknowledge: Encryption back doors already exist, including an NSA-authored exploit used by Juniper, and pose enormous risks to firms and their clients.

Late last week, Juniper announced that it had discovered what it described as two pieces of “unauthorized code” in the operating system of one of its firewalls. The first cleared the way for hackers to log in to a firewall with administrator privileges.

The second edit changed a single number in an encryption algorithm designed by the National Security Agency (NSA) to enable American eavesdropping and surprisingly adopted by Juniper, which is the world’s second-largest network device manufacturer behind Cisco. The edit allowed those responsible for the hack to decrypt virtual private network (VPN) connections hosted on Juniper’s NetScreen firewalls.

By changing a single number in the source code for an operating system, the hackers, likely working on behalf of a foreign signals-intelligence agency, effectively took a lock that the NSA had designed so that it could be picked by only operatives at Fort Meade and changed it to one that could budge at the command of hackers in Beijing or Moscow.

Because of the attack’s nature, it is impossible to say how much or what encrypted data were collected unscrambled, but the individuals exposed number in the millions and victims include corporations, governments, and academic institutions.

While Juniper has refused to release any technical details about the breach, computer security experts have in recent days pored over the software patches released by the company to determine how the code was changed. Ralf-Philipp Weinmann, founder and CEO of the German security firm Comsecuris, has provided what is so far the definitive analysis of how the encryption back door worked.

In theory, that back door, if it was configured a certain way, would have been what’s known as a NOBUS (“nobody but us”) bust allowing the NSA to decrypt VPN traffic. Instead, hackers used a vulnerability that the NSA is believed to have baked into a random-number generator known as Dual_EC to undermine an encryption system used by governments and corporations around the world. Documents supplied by Edward Snowden and published Wednesday by the Intercept indicate the NSA and GCHQ, Britain’s signals-intelligence agency, were aware of vulnerabilities in Juniper products, including the NetScreen firewalls.

The NSA did not return requests for comment on its role in the Juniper breach.

For presidential candidates traveling the campaign trail advocating for a way to circumvent encryption, the Juniper breach ought to serve as a lesson in humility.

“Back doors basically create a single point of failure,” said Matthew Green, a cryptologist at Johns Hopkins University. “Anybody who knows the smallest bit about it can turn that to their own advantage.”

According to Department of Homeland Security spokesman S.Y. Lee, the U.S. government is currently examining its own computer systems to assess the impact of the Juniper breach on federal networks.

In other words, the U.S. government is checking how it has been affected by a hacked encryption system that was intentionally made weak by the NSA in order to enable American surveillance.

And that provides an ironic counterpoint to the hawkish positions embraced by presidential candidates on encryption.

“If you create encryption, it makes it harder for the American government to do its job — while protecting civil liberties — to make sure that evildoers aren’t in our midst,” former Florida Gov. Jeb Bush said in August. What Bush didn’t say: If you create encryption back doors, it will also be harder for the American government to keep its secrets safe.

While the political debate over encryption has frequently been marked by adversarial comments about how Washington needs to force Silicon Valley to compromise encryption, others have indicated a desire for closer cooperation between the government and tech firms. FBI Director James Comey has in recent weeks softened his tone toward Silicon Valley and argued in congressional testimony this month that tech firms’ use of encryption represents a “business model” question.

Tech executives have so far refused to back down, but that hasn’t stopped former Hewlett-Packard CEO Carly Fiorina from arguing that she is uniquely positioned to bring the industry to heel. “They do not need to be forced; they need to be asked to bring the best and brightest, the most recent technology to the table,” Fiorina said during the CNN debate when asked about how the FBI can gain access to encrypted communications.

Indeed, Fiorina has touted her efforts while head of Hewlett-Packard to supply the NSA with additional computers in the aftermath of the 9/11 terrorist attacks. In the aftermath of the Juniper breach, security experts have questioned the extent of the company’s relationship with Fort Meade. Steven Bellovin, a computer science professor at Columbia University, said he wonders whether Juniper had used the compromised random-number generator at the agency’s behest.

“I personally am wondering if that’s how the problem was discovered — the NSA found that they could no longer read traffic that they thought they should be able to, so they alerted Juniper,” Bellovin said.

That’s a charge the company strenuously denies. “We do not work with governments or anyone else to purposely introduce weaknesses or vulnerabilities into our products,” spokesperson Leslie Moore said in a statement. “As soon as these issues were discovered, Juniper began work to remediate the vulnerabilities and notify customers.”

Efforts by the NSA to work with tech firms to make their products susceptible to surveillance can take on a variety of forms. According to Snowden documents published in 2013, the agency spends some $250 million a year to actively engage “U.S. and foreign IT industries to covertly influence and/or overtly leverage” product designs to make them “exploitable.” According to a 2013 Reuters report, the NSA inked a $10 million contract with RSA, a computer security firm, to use encryption tools the agency could crack. RSA has denied the report.

It remains unclear who was behind the attack on Juniper. Because few entities are capable of monitoring VPN traffic moving across fiber-optic cables — essentially, the signals-intelligence agencies of the United States, Russia, China, and a handful of others — experts believe that it was likely the work of a nation-state. In comments to CNN, anonymous U.S. officials said the breach was the work of a foreign government. But the change could also have been made by a disaffected insider — perhaps someone who was aware of the vulnerability, felt angry that the company had allowed it to make it into the code, and decided to take unilateral action to fix it. Juniper refused to comment on who was behind the attack.

As for Clinton’s comment about the need for a new Manhattan Project, Snowden had another take on that:

Photo via Getty Images News

 Twitter: @EliasGroll