Encryption Backdoor Debate Heats Up With Juniper Breach Discovery
"When you attempt to design a NOBUS backdoor, it creates so much complexity, it is going to weaken the end product," Cardozo said. "And DualEC is so weak that it is no longer even a reasonable implementation. It goes to show that you can try to make a 'nobody-but-us' backdoor, but you will fail." Security expert HD Moore believes the Juniper breach shows both sides of the debate. A poorly implemented backdoor, such as the hard-coded password, leaves everyone vulnerable, he said. Metasploit, an attack framework originally created by Moore, has already included an attack for the hardcoded password, which was found within days of the Juniper announcement. Thousands of devices appear to be vulnerable online, he added. Yet, the DualEC backdoor can only be used by the group that has access to the secret key, which – so far – is only known to the original attacker, said Moore, who is chief research officer at vulnerability management firm Rapid7. "The only person who could have exploited the backdoor is someone who created it," he said."Our honeypot doesn't emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be 'manual' in that we do see the attacker trying different commands," Johannes Ullrich, dean of research for the SANS Technology Institute, stated in a post on the attacks. The Shodan service, which searches the Internet for known vulnerable software, flagged 26,000 devices as potentially having the Juniper password flaw, according to Rapid7's Moore. Companies will likely start shunning the DualEC implementation. Juniper competitor Cisco announced it had begun a code review to look for potential malicious changes to its network operating system. The company stressed that it has a policy against the creation of such security vulnerabilities for secret access. "Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions," the company stated in an update for customers. Juniper, Cisco and other network infrastructure hardware vendors will always be the target of groups wanting to install backdoors, whether for legitimate law enforcement purposes or for more nefarious intelligence ends, said Péter Gyöngyösi, product manager with security intelligence firm Balabit. "Software running on hundreds of thousands of appliances will always be an attractive target to attackers: if you manage to insert a backdoor unnoticed, you are gaining access to a large number of devices worldwide," he said in an email to eWEEK. "Even though we rarely hear of such large scale, high-profile cases like this one, it'd be foolish to think no adversary ever tried a similar approach or that none of them succeeded."
Attackers are already seeking out vulnerable devices with the hard-coded password. The SANS Institute's Internet Storm Center announced on Dec. 22 that a honeypot made to look like a VPN service had detected quite a few attempts to login using the known password.