Remember that backdoor in Juniper gear? Congress sure does – even if networking biz wishes it would all go away

US lawmakers demand answers in quest against Feds-only access points

A backdoor in Juniper's networking gear could provide key evidence in the case against government-mandated Feds-only access – yet the manufacturer has failed to produce a report on the matter, prompting US lawmakers to take action.

A cross-party group of senators and House representatives today sent an open letter [PDF] to Juniper Networks asking the company cough up details surrounding the discovery of "unauthorized" VPN-decryption code inside its NetScreen firewall firmware in 2015.

The software routines could have been exploited by an eavesdropper to remotely connect into the appliances and snoop on encrypted traffic, essentially allowing the miscreant to spy on all incoming and outgoing data. There are claims this was a backdoor for the NSA, which was then exploited by someone unknown. Juniper vowed to conduct a full investigation, and issue a report on the scandal, but more than four years after the backdoor was discovered, there has been no definitive word on what happened or who may have been responsible.

The congresscritters, led by Senator Ron Wyden (D-OR), want to get to the bottom of the security blunder, as they believe the case will provide key evidence in the debate over government-mandated encryption backdoors.

Sign outside the National Security Agency HQ

NSA: SO SORRY we backed that borked crypto even after you spotted the backdoor


Among those signing onto the letter are influential Senators Cory Booker (D-NJ) and Mike Lee (R-UT), Rep Jerry Nadler (D-NY), Homeland Security House committee chairman Bennie Thompson (D-MS), and Democratic California Representatives Zoe Lofgren, of Silicon Valley, and Ted Lieu, whose district includes much of Los Angeles. They said although the mystery decryption routines were found in 2015, the hole may have been present since the late 2000s.

"Alarmingly, the suspicious code that Juniper discovered in 2015 did not create the backdoor – it apparently modified one that was seemingly already there," the letter noted. "Subsequent analysis by an international team of leading experts determined that, in fact, a backdoor had likely been added to Juniper products as far back as 2008."

In particular, the letter asked Juniper to provide details on the 2009 certification of its encryption modules and whether those modules adhered to the US National Institute of Standards and Technology's requirements, although doing so is little guarantee of safety. The group also wants to see the full results of the investigation of the 2015 discovery, and any records or details Juniper has on the development of the ScreenOS firmware and any employees who had the ability to modify it.

If the suspicions of the congressfolk turn out to be founded, the Juniper case would be a textbook example of the exact sort of nightmare scenario opponents of encryption backdoors have presented: that a Feds-only access point could be discovered and reverse-engineered by any miscreant or foreign agent, and exploited to spy on people.

"Over the past year, Attorney General William Barr and other senior government officials have renewed their call for technology companies to subvert the encryption in their products in order to facilitate government surveillance," the letter noted.

"Juniper's experiences can provide a valuable case study about the dangers of backdoors, as well as the apparent ease with which government backdoors can be covertly subverted by a sophisticated actor."

Juniper declined to comment. ®

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022