Juniper Backdoor: How Are Vendors Responding?

Network & Perimeter , Technology

Juniper Backdoor: How Are Vendors Responding? 8 Networking Giants Answer With Silence Juniper Backdoor: How Are Vendors Responding?

How many networking vendors have been shipping products with built-in backdoors designed to bypass authentication and encryption?

See Also: Stop Fraud, Not Customers: Focus On Good User Experience

That's the obvious question that all networking gear users - and manufacturers - should be asking in the wake of Juniper warning on Dec. 17, 2015, that it had discovered "unauthorized code that could allow a knowledgeable attacker to gain administrative access" to its devices as well as "decrypt VPN connections" (see Who Backdoored Juniper's Code?).

"Who's gonna be the next SSH backdoor?" 

In the wake of Juniper's warning, Cisco announced that it had launched a deep-dive review of its own firmware to look for any suspicious code (see Cisco Reviews Code After Juniper Backdoor Found).

Other networking vendors, however, remained silent. So beginning on Dec. 23, 2015, I began asking them directly: How are you responding to the Juniper backdoor revelations and ensuring that backdoors aren't present in the firmware that runs your devices?

To their credit, six networking firms have at least responded. Fortinet, Palo Alto Networks, Alcatel-Lucent and Brocade all tell me that they have either launched deep-dive code reviews to look for signs of code-base tampering or else that they have existing code checks and third-party reviews that would spot this sort of behavior.

A spokeswoman for Polycom also responded, telling me Jan. 19: "This is not something we will comment on."

The Sound of Silence

Despite repeated requests for comment in recent weeks, however, I have yet to receive any response from these seven other leading networking vendors or brands:

Aruba, based in Sunnyvale, Calif., which is part of HP Enterprise; Avaya, based in Basking Ridge, NJ; Blue Coat Systems, based in Sunnyvale, Calif.; Check Point Software Technologies, based in Tel Aviv; HP, based in Palo Alto, Calif.; Huawei, based in Shenzhen, China; IBM, based in Armonk, NY.

Code Reviews: Not a Magic Bullet

To be clear, while code reviews are essential, they are not foolproof. Fortinet, for example, warned last week of multiple hard-coded SSH passwords in its products, some of which date from 2014, and all of which could be abused by attackers to gain access to vulnerable devices (see Fortinet Finds More SSH Backdoors).

Still, if I was using networking gear built by any of the eight non-responsive - or declining to comment - firms, I'd be demanding answers to what should be a simple-to-answer question and threatening to take my business elsewhere. As information security consultant Eleanor Saitta has noted, when it comes to networking gear, and following revelations relating to the U.S. National Security Agency's effort to infiltrate U.S.-built technology, trust is running thin (see Defending Against Government Intrusions).

So, who's gonna be the next SSH backdoor? Anyone want to wager?

Gag Orders?

Some firms' lack of response begs the question of whether they have been compelled - for example by the NSA, or relevant authorities in China or Israel - to not reveal government-mandated backdoors added to their code. For what it's worth, all of the networking vendors that have responded to me are based in California, except for Alcatel-Lucent, which is based near Paris.

It's no secret that networking gear is actively targeted by intelligence agencies run by both friends and foes. For example, a document published last month by the Intercept - labeled "top secret" and dated February 2011 - revealed that Britain's GCHQ intelligence agency "has exploit capabilities against" 13 different Juniper NetScreen firewalls. GCHQ is Britain's sister agency to the NSA, and the document advocated working with the NSA as well as launching "an effort to ensure exploitation capability" against future Juniper firmware (see Juniper Devices Are Under Attack).

Congress Demands Juniper Usage Details

Security experts are clear: All backdoors are bad, as they put everyone's data at risk, because any backdoor added "for the good guys" can also be accessed by "the bad guys," as demonstrated by the Juniper backdoors, which security experts say may have been added by three separate intelligence agencies, working independently of each other (see Juniper Firmware: New Crypto Flaw Found).

For evidence of the damage backdoors can cause, look no further than the United States, where the House Committee on Oversight and Government Reform has fired off letters to multiple U.S. government agencies seeking full details of their use of devices that run Juniper's NetScreen OS, as well as a related version history, including:

Documents detailing whether the agency - or any component agency - used the vulnerable Juniper gear; Whether any "corrective measures were taken prior to deploying the software patch issued by Juniper Networks on Dec. 20, 2015"; Full version history details for agencies' ScreenOS deployments; Documentation relating to how and if the related Dec. 20 software patch has been installed.

The committee's letters were sent Jan. 21 to the heads of 24 different U.S. government agencies, ranging from the Department of Defense and Department of Energy to the Office of Personnel Management and the Securities and Exchange Commission. Queried agencies have until Feb. 4 to respond.

Draft Bill Outlaws Snooping Discussion

Unfortunately, efforts are now underway in the United Kingdom to make government-mandated backdoors harder to find and eradicate. In particular, a draft of the U.K.'s revamped Investigatory Powers Bill - derided as the Snooper's Charter by critics - would make it illegal for anyone the government approaches to build a backdoor to disclose that information to anyone, for any reason at all (see U.K.'s Snowden Response: Surveillance Debate).

In particular, the language in the 300-page draft bill "prevents anyone involved in interception from ever mentioning it took place as part of any legal proceedings," according to an analysis of the bill published by security and privacy researcher George Danezis at University College London. "Note that this section is absolute: it does not have exceptions, for example in relation to the public interest: such as the ability to discuss the benefit or downsides of [particular] interception activities; no exception for talking about this to MPs, or other democratic representatives; or even to exculpate anyone who otherwise would be wrongfully found guilty."

Many security experts deride this ethos as wrongheaded, at best, for self-described democratic societies. "No matter how much power government has, it is never enough," says information security consultant William Murray, who teaches at the U.S. Naval Postgraduate School. "When their best efforts in open debate fail to frighten us into surrendering our liberty, they are not above resorting to covert means."