Security Experts:

Connect with us

Hi, what are you looking for?



U.S. Officials Ask Juniper Networks About Investigation Into 2015 Backdoor

More than a dozen U.S. officials have sent a letter to California-based networking and cybersecurity solutions provider Juniper Networks to ask the company about the results of the investigation launched in 2015 following the discovery of a backdoor in its products.

More than a dozen U.S. officials have sent a letter to California-based networking and cybersecurity solutions provider Juniper Networks to ask the company about the results of the investigation launched in 2015 following the discovery of a backdoor in its products.

In late 2015, Juniper Networks revealed that it had identified unauthorized code in some versions of the ScreenOS operating system running on its firewalls. The code was found to introduce two vulnerabilities: one that could be exploited to remotely gain admin access to a device, and one that could allow an attacker to decrypt VPN traffic.

The VPN vulnerability was related to the use of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), which ScreenOS used as a pseudo-random number generator (PRNG). Dual EC DRBG was known to contain a backdoor introduced by the NSA, which led some to speculate that the NSA may have planted the unauthorized code in Juniper products, while others said it could have been the work of a foreign government.

An initial analysis revealed that the backdoor may have been there since 2008. Juniper had been aware of the security risks posed by the use of Dual EC DRBG and it had not used it as its primary PRNG. In addition, the company made some changes that should have mitigated risks, but the unauthorized code enabled the backdoor and made it possible to launch attacks.

A group of three senators and 13 members of the U.S. House of Representatives announced on Wednesday that they have sent a letter to Juniper Networks in an effort to find out what the company learned from its investigation into what the officials described as “secret government backdoors.”

“It has now been over four years since Juniper announced it was conducting an investigation, but your company has still not revealed what, if anything, it uncovered,” the officials wrote. “The American people — and the companies and U.S. government agencies that trusted Juniper’s products with their sensitive data — still have no information about why Juniper quietly added an NSA-designed, likely-backdoored encryption algorithm, or how, years later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of U.S. national security.”

The letter was sent to Juniper just as the U.S. Attorney General and other government officials have been trying to convince — and in some cases even force — companies to add encryption backdoors to their products to facilitate surveillance and investigations.

Juniper has been given one month to answer eight questions about the incident, including on the company’s decisions surrounding Dual EC DRBG, the results of its investigation, the source of the unauthorized code, and any recommendations made and implemented following the probe.

SecurityWeek has reached out to Juniper Networks for comments, but we have yet to hear back. This article will be updated if the company responds.

Related: Backdoors Not Patched in Many Juniper Firewalls

Related: Cisco Reviewing Code After Juniper Backdoor Hack

Related: Juniper Firewall Backdoor Password Found in 6 Hours

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.