Juniper Network backdoorThe horrific terrorist attacks two weeks ago in San Bernardino, and France last month has brought a clambering from politicians, the FBI, and others, including the President for backdoors to encryption technologies deployed in the market. It even came up in the Republican and Democratic presidential debates last week. Last Thursday Juniper Networks dropped a bomb on the IT world admitting that someone had implanted secret code in their switches that would allow the perpetrators access to a backdoor to their network equipment. In addition to administrative control, apparently anyone with this access could be able to decrypt communication within a VPN passing through their equipment. (normally considered secure due to encrypted communication) This means that any supposedly secure governmental or company traffic could be available to someone with backdoor access to Juniper’s switches that had this code embedded in it. The potential consequences of this breach of is so enormous, many security experts are just now coming to grasp to the potential consequences. – literally any traffic on the web, including previously thought secure encrypted VPN traffic could be at risk if it passes through a Juniper switch.
Wired has done an excellent article on the ramifications of this code plant so I won’t go into detail in this post however this has to be setting off alarm bells within the security organizations of governments and companies around the world regardless whether they have Juniper Network switches deployed in their organization. For those not aware Juniper is the second largest networking equipment manufacturer behind Cisco, so you can see the ramifications of this code plant opening up a backdoor to a company’s or government’s confidential electronic traffic. Particularly concerning to this code plant is Juniper’s acknowledgement that there is no way to detect that the VPN snooping vulnerability had been exploited meaning the attackers could be able to cover their tracks once they had gained remote access. So in theory the perpetrators could be able to monitor traffic coming through these switches and then hide the fact that they were there at all. This is the really scary part of this hack.
Needless to say this is a prime example why intentional backdoors, suggested by the government to any product, software or hardware, no matter how well meant are simply a bad idea.
In order for agencies like the NSA to get these backdoors, we have to assume they’d require private keys imbedded into applications that would be kept in some sort of secure vault that was possibly controlled by a Juniper network switch. Do you begin to see the absurdity in trying to keep these supposedly secret passwords secret? Projecting a possibly scenario, these passwords could be transmitted through a Juniper switch which would immediately put the security of any encrypted communication anywhere in the world at risk since this code was apparently planted over 2 years ago. Need I say more about this? (forgetting about another Edward Snowden or other incompetent action by some governmental IT administrator)
Unrelated to this Juniper hack on Tuesday a group of cryptographers and security experts released a major paper outlining the risks of government-mandated back-doors in encryption products: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, specifically discussing why backdoors are a bad idea adding further evidence why the whole concept is a bad idea.
As I have pointed out in a previous blog (admittedly more lightheartedly) the encryption horse has already left the proverbial barn so these backdoors are a waste of time anyway. There are already so many encryption libraries available that any two bit programmer could make a secure communication system if they wanted. The Juniper announcement on Thursday is serious and further demonstrates why intentional backdoors in encryption products are just a bad idea.
Am I wrong on this? Your thoughts?
David Griffith is the CEO of Azstec LLC, the creators of docNCRYPT, the incredibly simple document security solution for everyone. If you have any comments or questions, email David at dgriffith [at] azstec.com and follow the Azstec Blog or on Twitter or LinkedIn.