A backdoor in Juniper's networking gear could provide key evidence in the case against government-mandated Feds-only access – yet the manufacturer has failed to produce a report on the matter, prompting US lawmakers to take action.
A cross-party group of senators and House representatives today sent an open letter [PDF] to Juniper Networks asking the company cough up details surrounding the discovery of "unauthorized" VPN-decryption code inside its NetScreen firewall firmware in 2015.
The software routines could have been exploited by an eavesdropper to remotely connect into the appliances and snoop on encrypted traffic, essentially allowing the miscreant to spy on all incoming and outgoing data. There are claims this was a backdoor for the NSA, which was then exploited by someone unknown. Juniper vowed to conduct a full investigation, and issue a report on the scandal, but more than four years after the backdoor was discovered, there has been no definitive word on what happened or who may have been responsible.
The congresscritters, led by Senator Ron Wyden (D-OR), want to get to the bottom of the security blunder, as they believe the case will provide key evidence in the debate over government-mandated encryption backdoors.
NSA: SO SORRY we backed that borked crypto even after you spotted the backdoorREAD MORE
Among those signing onto the letter are influential Senators Cory Booker (D-NJ) and Mike Lee (R-UT), Rep Jerry Nadler (D-NY), Homeland Security House committee chairman Bennie Thompson (D-MS), and Democratic California Representatives Zoe Lofgren, of Silicon Valley, and Ted Lieu, whose district includes much of Los Angeles. They said although the mystery decryption routines were found in 2015, the hole may have been present since the late 2000s.
"Alarmingly, the suspicious code that Juniper discovered in 2015 did not create the backdoor – it apparently modified one that was seemingly already there," the letter noted. "Subsequent analysis by an international team of leading experts determined that, in fact, a backdoor had likely been added to Juniper products as far back as 2008."
In particular, the letter asked Juniper to provide details on the 2009 certification of its encryption modules and whether those modules adhered to the US National Institute of Standards and Technology's requirements, although doing so is little guarantee of safety. The group also wants to see the full results of the investigation of the 2015 discovery, and any records or details Juniper has on the development of the ScreenOS firmware and any employees who had the ability to modify it.
If the suspicions of the congressfolk turn out to be founded, the Juniper case would be a textbook example of the exact sort of nightmare scenario opponents of encryption backdoors have presented: that a Feds-only access point could be discovered and reverse-engineered by any miscreant or foreign agent, and exploited to spy on people.
"Over the past year, Attorney General William Barr and other senior government officials have renewed their call for technology companies to subvert the encryption in their products in order to facilitate government surveillance," the letter noted.
"Juniper's experiences can provide a valuable case study about the dangers of backdoors, as well as the apparent ease with which government backdoors can be covertly subverted by a sophisticated actor."
Juniper declined to comment. ®