As Republican presidential candidates continue to express the “urgent need” for cyber surveillance through backdoors in encryption technology, revelations of a major breach in computer network company Juniper Networks have demonstrated to the entire world why that might actually be a terrible idea.
In the breach, an unauthorized hardcoded password was discovered that could give anyone who knows that password administrative access to devices running certain version of the operating system Screen OS.
This is the same concept many of the Republicans have been pushing for, to give our own government access to encrypted data in order to increase the government’s ability to fight terrorism. But now that this concept is being used against us — and apparently has been for a very long time — U.S. officials are scrambling to apply updates to prevent any further cyber espionage.
Juniper has released an emergency patch for their routers in light of the breach, which experts believe may have given foreign hackers access to spy on the encrypted communications of both U.S. government officials as well as private corporations for much of the past three years.
Juniper’s chief information officer, Bob Worrall, released a statement about the incident on their website explaining that the backdoor was discovered after an audit on the code used in ScreenOS.
During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.
Juniper Networks has refused to answer any questions regarding where the code may have come from, though they have said that they did not work with any government to add the code.
Officials are concerned that hackers who have been taking advantage of the flaw may have had access to quite a bit of privileged information, and there’s no telling what they did with it. The type of access that could be gained by exploiting this code has been described as being much like obtaining a “master key to get into any government building”.
The U.S. has denied being behind the implementation of the code, and some U.S. officials believe that China and Russia are likely responsible due to the level of sophistication necessary to carry out this type of attack. They did say, however, that they haven’t reached any conclusions as of yet.
In the mean time, Juniper continues to advise customers using ScreenOS 6.2.0r15 through 6.2.0r18, or 6.3.0r12 through 6.3.0r20 to install the emergency patch as soon as possible. Doing so will prevent any further risk of information disclosure to the still unknown third party.
Ronald Prins from dutch security firm Fox-IT pointed out that Juniper’s patch may have increased the risk of the exploitation of devices that are still vulnerable. “Once you know there is a backdoor there,” he explained to WIRED, “the patch gives away where to look for [the backdoor]”. Prins claims his firm was able to figure out how to access all vulnerable firewalls in the exact same way as the original attackers.
In a statement, Juniper said that they have no reason to believe that the vulnerability had been exploited to decrypt communications, but also admitted that if it had been, “there is no way to detect that this vulnerability was exploited” either.
The situation illustrates why having a backdoor in encryption technology may not be such a good idea, because not only does it compromise the expectation of privacy, it raises an important question as well: What happens when someone we don’t know, someone not affiliated with our government, figures out what the password is? It took three years for this breach to be discovered, after all. That’s a lot of time for hackers to collect sensitive information.