In December, everyone was starkly reminded of the dangers posed by backdoors in security products: Juniper Networks, a massive company that creates popular networking equipment, found “unauthorized” code in its ScreenOS software which would allow an attacker to take total control of Juniper NetScreen firewalls, or even, with enough resources, passively decrypt VPN traffic.
In response, Juniper released a patch, and advised customers to immediately update their systems. According to a “Cyber Alert” document obtained by Motherboard, the US Department of Defense (DoD) urged a slew of contractors to do the same.
A few days after the backdoor news broke, the Defense Security Service (DSS) sent out the alert detailing the problems found in Juniper's products. The DSS is a part of the DoD, and, amongst other things, supervises industrial security and provides security education.
“DSS provides this report to cleared contractor security professionals to facilitate the awareness of cyber threats to their classified and unclassified networks and to aid in the identification and development of appropriate actions, priorities, and follow-on measures,” the unclassified document reads, which is dated December 22 2015.
The Cyber Alert then briefly describes the two issues at hand—a hard-coded password that would grant an attacker remote access, and a separate problem that may allow an attacker to decrypt intercepted traffic—and provides signatures for detecting some unauthorized entry attempts.
The document adds that “It is up to the recipients of the alerts to decide how to use the information contained in this document.”
Shortly after Juniper released their patch in mid-December, researchers from Dutch cybersecurity firm Fox-IT were able to dig up the baked-in password that would have given attackers full access to Juniper's affected products. Rapid 7, another security company, also found the password, and subsequently published it. (The DSS Cyber Alert also includes the hard-coded password).
Days later, Ralf-Philipp Weinmann, founder and CEO of German consultancy Comsecuris, found evidence that the vulnerability facilitating decryption of VPN traffic had either been inserted by the US National Security Agency (NSA), or relied upon cryptographic weaknesses that the agency had deliberately created. Weinmann pointed out that Juniper's patch doesn't entirely solve all the problem, either.
The Intercept, pulling up documents from the Snowden archive, reported that the NSA had helped the UK's Government Communications Headquarters (GCHQ) find vulnerabilities in Juniper products back in February 2011.
But, irrespective of who is actually behind the manufacturer of these backdoors, there is every chance that they could have been exploited by a number of different attackers, be those Russia, China, or anyone else.
Indeed, it is impossible to create a backdoor for a friendly entity without making an avenue of attack from an adversary. There is no magical formula for giving the good guys access, while keeping the bad ones out. This is the point being repeated by companies like Apple, which has introduced robust hard-disk encryption for its devices and message services, while law enforcement agencies demand backdoors to be inserted into consumer products.
It's safe to assume that the DSS knows this too, hence their issuing of the Cyber Alert to a melting pot of US government contractors, despite evidence pointing to the nation’s own intelligence agency being involved.