The mystery surrounding two backdoors in Juniper's virtual private networking (VPN) products—and whether one of them may have originated with a U.S. intelligence agency—has added fuel to the debate surrounding government access to communications and data.
On Dec. 17, Juniper announced that an internal code review had revealed that two backdoors had been added to its ScreenOS operating system. One intentionally introduced flaw allows attackers to use a hard-coded password to gain administrative rights to vulnerable systems while the other allows the decryption of communications captured by an attacker who knows a unique key.
Juniper's Security Incident Response Team "is not aware of any malicious exploitation of these vulnerabilities; however, the password needed for the administrative access has been revealed publicly," the company stated in an advisory.
The hard-coded password was apparently introduced in ScreenOS 6.2.0r15, released by Juniper in September 2012, while an attacker inserted the decryption bypass vulnerability into ScreenOS 6.2.0r17, released in May, according to Juniper. Versions of the operating system released as far back as August 2012 have, however, been patched for the issue.
Security researchers have linked the capability to decrypt communications to a backdoor surreptitiously supported by the U.S. National Security Agency and incorporated into products sold by security firm RSA. The company was reportedly paid $10 million for including the broken Dual Elliptic Curve (DualEC) pseudo random number generator (PRNG) in its products.
The kerfuffle over the backdoor password and code comes as politicians and law enforcement officials continue to ratchet up the rhetoric calling for technology companies to weaken the security of their products to allow authorities to have access to communications and data.
In a 60 Minutes segment aired over the weekend, Apple CEO Tim Cook attempted to explain the problems that weakened encryption poses for all citizens—that security weaknesses are often exploited and not just by legitimate authorities.
"If there is a way to get in, then someone would find a way in," Cook said in the 60 Minutes segment. "The reality is, if you put a backdoor in—that backdoor is for everybody, for good guys and bad guys."
In the latest Democratic debate, presidential candidate Hillary Clinton, when asked to comment on Apple's assertions, called for a massive effort to find a solution.
"I would hope that, given the extraordinary capacities that the tech community has and the legitimate needs and questions from law enforcement, that there could be a Manhattan-like project, something that would bring the government and the tech communities together to see they're not adversaries, they've got to be partners," Clinton said in the debate.
Such a view is referred to by technologists as the "nobody but us," or NOBUS, argument, where legitimate authorities seek to undermine security with technology that only they will be able to use. The backdoor password is "infinitely stupid," but the NOBUS decryption weakness is a seductive approach, because it seems like it could work, said Nate Cardozo, staff attorney with the Electronic Frontier Foundation.
Such secrets will eventually leak, however, and if ubiquitously implemented, leave everyone with weakened security, he said.