The Department of Homeland Security and federal agencies are in incident-response mode as they work to remove listening posts in software planted by suspected cyberspies.
The unauthorized code can allow attackers to invisibly decrypt communications passing through widely-used Juniper Networks firewalls, according to the company. The existence of the three-year old bug was disclosed on Dec. 17. The government has spent about $13 million on Juniper products since 2012, according to the federal funding-tracker USASpending.gov.
Currently, the government is scouring its IT inventory to identify affected Juniper systems — plus any information that ever touched a Juniper firewall.
It is believed a foreign party rigged the software. Reports this week suggested the assailants might have taken advantage of a weakness that the National Security Agency allegedly placed in a popular encryption formula.
Dave Aitel, who worked at the code-breaking agency and now serves as chief technology officer at cybersecurity firm Immunity, said the discovery of an unauthorized backdoor in Juniper’s encryption program demonstrates precisely why even legal backdoors can backfire. The hack reinvigorated an already tense debate about encrypted communications, which consumers increasingly are using for privacy and terrorists increasingly are using to evade law enforcement’s eyes and ears. The FBI wants tech providers to be able to break coded messages, when served with a warrant.
“We have every presidential candidate talking about crypto backdoors and no one can really point to why they are so dangerous,” Aitel said. But the Juniper software tampering is “a perfect case example of why cryptographic backdoors are so dangerous in the real world.”