The security breach that Juniper Networks discovered in its ScreenOS last week was a back door that someone installed in the code in 2012, but could Juniper have done anything to prevent the problem or discover the back door sooner?
“Realistically, probably not,” says HD Moore, chief research officer at Rapid7, a company that sells products that assist with the detection and prevention of attacks.
Rapid7 and others have published the password to the ScreenOS back door, “to help customers identify vulnerable systems,” he says. While having the password in hand makes it easier for others to exploit the problem, Moore says it was only a matter of time for the password to be located after the security breach became known, anyway.
Juniper issued its security alert on Dec. 17 after discovering the unauthorized code during an internal review.
Code review and quality assurance typically aim to keep accidental errors from shipping, not to identify malicious code from someone with insider access. “Regular security audits may have helped,” says Moore. “But there is no telling how hidden the changes were in the source code (or even the build chain).”
This security breach is unusual because it appears to have been an inside job. The unauthorized changes seem to have been made to the source code repository.
Moore says previous cases of security breaches involving back doors were different. Sometimes the vendor intentionally added a back door for support access or manufacturing automation. Or back doors may be added in situations where a vendor’s product was tampered with at the delivery level. (You can’t help but think here of Cisco’s routers being tampered with by the NSA before being exported.)
“There is a third category of ‘accidental’ back doors, where a flaw in the code or the configuration leads to an authentication bypass, but these were never considered intentional,” says Moore.
There has been rampant speculation that the U.S. government may have required Juniper Networks to build a back door into ScreenOS. As Wired and others reported, researcher Ralf-Philipp Weinmann of Comsecuris found that the ScreenOS flaw stems from a weakness in elliptic curve cryptography — a weakness that’s believed to have been engineered by the National Security Administration (NSA). That flaw was repurposed by the culprit in the Juniper case.
“There are no security benefits and many likely downsides to implementing mandatory back doors,” Moore says. “In my view, it’s far too early” to definitively blame the NSA.