The mystery surrounding two backdoors in Juniper’s virtual private networking (VPN) products—and whether one of them may have originated with a U.S. intelligence agency—has added fuel to the debate surrounding government access to communications and data.
On Dec. 17, Juniper announced that an internal code review had revealed that two backdoors had been added to its ScreenOS operating system. One intentionally introduced flaw allows attackers to use a hard-coded password to gain administrative rights to vulnerable systems while the other allows the decryption of communications captured by an attacker who knows a unique key.
Juniper’s Security Incident Response Team “is not aware of any malicious exploitation of these vulnerabilities; however, the password needed for the administrative access has been revealed publicly,” the company stated in an advisory.
The hard-coded password was apparently introduced in ScreenOS 6.2.0r15, released by Juniper in September 2012, while an attacker inserted the decryption bypass vulnerability into ScreenOS 6.2.0r17, released in May, according to Juniper. Versions of the operating system released as far back as August 2012 have, however, been patched for the issue.
Security researchers have linked the capability to decrypt communications to a backdoor surreptitiously supported by the U.S. National Security Agency and incorporated into products sold by security firm RSA. The company was reportedly paid $10 million for including the broken Dual Elliptic Curve (DualEC) pseudo random number generator (PRNG) in its products.
The kerfuffle over the backdoor password and code comes as politicians and law enforcement officials continue to ratchet up the rhetoric calling for technology companies to weaken the security of their products to allow authorities to have access to communications and data.
In a 60 Minutes segment aired over the weekend, Apple CEO Tim Cook attempted to explain the problems that weakened encryption poses for all citizens—that security weaknesses are often exploited and not just by legitimate authorities.
“If there is a way to get in, then someone would find a way in,” Cook said in the 60 Minutes segment. “The reality is, if you put a backdoor in—that backdoor is for everybody, for good guys and bad guys.”
In the latest Democratic debate, presidential candidate Hillary Clinton, when asked to comment on Apple’s assertions, called for a massive effort to find a solution.
“I would hope that, given the extraordinary capacities that the tech community has and the legitimate needs and questions from law enforcement, that there could be a Manhattan-like project, something that would bring the government and the tech communities together to see they’re not adversaries, they’ve got to be partners,” Clinton said in the debate.
Such a view is referred to by technologists as the “nobody but us,” or NOBUS, argument, where legitimate authorities seek to undermine security with technology that only they will be able to use. The backdoor password is “infinitely stupid,” but the NOBUS decryption weakness is a seductive approach, because it seems like it could work, said Nate Cardozo, staff attorney with the Electronic Frontier Foundation.
Such secrets will eventually leak, however, and if ubiquitously implemented, leave everyone with weakened security, he said.
Encryption Backdoor Debate Heats Up With Juniper Breach Discovery
“When you attempt to design a NOBUS backdoor, it creates so much complexity, it is going to weaken the end product,” Cardozo said. “And DualEC is so weak that it is no longer even a reasonable implementation. It goes to show that you can try to make a ‘nobody-but-us’ backdoor, but you will fail.”
Security expert HD Moore believes the Juniper breach shows both sides of the debate. A poorly implemented backdoor, such as the hard-coded password, leaves everyone vulnerable, he said. Metasploit, an attack framework originally created by Moore, has already included an attack for the hardcoded password, which was found within days of the Juniper announcement. Thousands of devices appear to be vulnerable online, he added.
Yet, the DualEC backdoor can only be used by the group that has access to the secret key, which – so far – is only known to the original attacker, said Moore, who is chief research officer at vulnerability management firm Rapid7.
“The only person who could have exploited the backdoor is someone who created it,” he said.
Attackers are already seeking out vulnerable devices with the hard-coded password. The SANS Institute’s Internet Storm Center announced on Dec. 22 that a honeypot made to look like a VPN service had detected quite a few attempts to login using the known password.
“Our honeypot doesn’t emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be ‘manual’ in that we do see the attacker trying different commands,” Johannes Ullrich, dean of research for the SANS Technology Institute, stated in a post on the attacks.
The Shodan service, which searches the Internet for known vulnerable software, flagged 26,000 devices as potentially having the Juniper password flaw, according to Rapid7’s Moore.
Companies will likely start shunning the DualEC implementation. Juniper competitor Cisco announced it had begun a code review to look for potential malicious changes to its network operating system. The company stressed that it has a policy against the creation of such security vulnerabilities for secret access.
“Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions,” the company stated in an update for customers.
Juniper, Cisco and other network infrastructure hardware vendors will always be the target of groups wanting to install backdoors, whether for legitimate law enforcement purposes or for more nefarious intelligence ends, said Péter Gyöngyösi, product manager with security intelligence firm Balabit.
“Software running on hundreds of thousands of appliances will always be an attractive target to attackers: if you manage to insert a backdoor unnoticed, you are gaining access to a large number of devices worldwide,” he said in an email to eWEEK. “Even though we rarely hear of such large scale, high-profile cases like this one, it’d be foolish to think no adversary ever tried a similar approach or that none of them succeeded.”