Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Lawmakers Ask NSA About Its Role in Juniper Backdoor Discovered in 2015

Several U.S. lawmakers sent a letter to the National Security Agency last week in an effort to find out more about its role in the backdoor discovered in Juniper Networks products back in 2015, as well as the steps taken by the agency following the Juniper incident, and why those steps failed to prevent the recent SolarWinds hack.

Several U.S. lawmakers sent a letter to the National Security Agency last week in an effort to find out more about its role in the backdoor discovered in Juniper Networks products back in 2015, as well as the steps taken by the agency following the Juniper incident, and why those steps failed to prevent the recent SolarWinds hack.

In late 2015, Juniper Networks informed customers that it had discovered unauthorized code in some versions of its ScreenOS operating system, which powered the company’s firewalls. The code introduced a vulnerability that could be exploited to gain remote access to a device, and a vulnerability that could have been leveraged to decrypt VPN traffic.

The VPN issue was related to the use of Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), a NIST-approved cryptographic algorithm that had been known to contain a backdoor introduced by the NSA. Juniper had made some changes to prevent abuse, but the malicious code enabled the backdoor. Some speculated that the intelligence agency was responsible for the unauthorized code, but Juniper believed it was likely targeted by a foreign government.

Similar to the recent SolarWinds hack, in which attackers, believed to be backed by Russia, delivered malicious updates to many of the company’s customers, the Juniper backdoor was also delivered to many government and private organizations in the United States, either via security updates or new products.

A few months ago, a group of three senators and 13 members of the U.S. House of Representatives sent a letter to Juniper, asking the company about the results of its investigation into that incident. Juniper said it added support for Dual EC DRBG at the request of a customer, but did not say who that customer was or whether the customer was a U.S. government agency. The company said none of the people involved in the decision to use the problematic cryptographic algorithm still works there.

Senators and House members have now sent a letter to the NSA in an effort to learn more about the agency’s role in the Juniper incident.

In their letter, the lawmakers noted that the Juniper backdoor may have allowed a foreign government or a different adversary to hack into the communications of many businesses and government agencies. They have asked the NSA to describe the steps it took following the disclosure of the Juniper incident to protect government agencies, and why those measures haven’t prevented the recent SolarWinds supply chain attack.

The NSA has also been instructed to share more information regarding its development and use of the algorithm, and say whether it was the customer that asked Juniper to add support for it in its products.

Advertisement. Scroll to continue reading.

The lawmakers are also interested in finding out why the NSA thought it would be legal to introduce a backdoor into an algorithm approved by the U.S. government, and who it would need approval from if it wanted to introduce backdoors or other vulnerabilities into government standards.

The NSA has been given until February 26 to provide unclassified answers.

Related: Backdoors Not Patched in Many Juniper Firewalls

Related: Cisco Reviewing Code After Juniper Backdoor Hack

Related: Juniper Firewall Backdoor Password Found in 6 Hours

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...