Top Secret Document Indicates NSA Knew Of Juniper Vulnerabilities In 2011
Juniper Networks, a Sunnyvale, Calif-based network hardware manufacturer that last week reported finding an unauthorized code in its firmware making it possible for hackers to access its devices, could have been vulnerable for several years, based on a top-secret document released by Intercept, a website dedicated to transparency in government and corporate institutions. The document, shared by Edward Snowden, indicates the National Security Agency (NSA) was aware of its Juniper’s vulnerabilities since 2011.
Juniper’s admission last week that an unauthorized party added code to its firmware used in its NetScreen devices is a “huge admission” as it could allow attackers to gain access to devices and to decrypt virtual private network (VPN) connections, according to TheNextWeb. Juniper builds network hardware that is used by companies worldwide.
Does Juniper Know When Code Came?
The fact that Juniper either does not know or will not admit when the software was added (or by whom) is concerning, according to TNW. Juniper has released a patch for NetScreen devices, but there is no way to detect an attack.
The document newly released by Intercept indicates that NSA was aware of Juniper vulnerabilities since 2011 and that GCHQ, the U.K. intelligence agency, was able to exploit these flaws.
Compromising the connections that Juniper products protect would yield access to highly-sensitive information, HD Moore, chief research officer at Rapid7, a Boston, Mass.-based IT security provider, told The Verge. The number of devices vulnerable to Juniper’s “backdoors” are estimated at around 26,000.
GCHQ, with the cooperation of the NSA, gained the capability to exploit security vulnerabilities in 13 different models of Juniper firewalls, according to the document, which is dated Feb.3, 2011.
Document Raises Big Questions
Titled “Assessment of Intelligence Opportunity – Juniper,” the six-page document raises questions about whether the intelligence agencies were culpable for creating the security holes disclosed by Juniper last week, according to the Intercept article by Ryan Gallagher and Glenn Greenwald.
The document indicates the agencies, unlike the unidentified parties responsible for the hacks, were able to penetrate the NetScreen security products that allow companies to build firewalls for VPNs. It also indicates that GCHQ capabilities clustered around “ScreenOS,” an operating system that only powers a subset of Juniper products such as the NetScreen line.
Juniper’s other products, such as Internet routes, run on JUNOS, a different operating system.
The document does not indicate a specific link between GCHQ, NSA and the Juniper hacks.
But any possible links between the intelligence agencies and the security vulnerabilities are relevant on account of a current debate in the U.K. and the U.S. over government backdoors that enable access to encrypted data.
Did NSA Help Create A Backdoor?
Security researchers and cryptographers have noted that a newly-discovered Juniper vulnerability could have come from a NSA-engineered encryption backdoor and co-opted by someone else.
U.S. officials, meanwhile, are reviewing how the Juniper hacks could impact their own networks, which puts them in a position of trying to protect their own encryption while they criticize others for encryption.
The document’s author, a NSA employee who worked as part of an “Access Strategy Team” with GCHQ, expresses an adversarial position about encryption by referring to Juniper as a “target” and a “threat” as it provides technology to shield data from eavesdropping.
While not suggesting security agencies should help U.K. and U.S. firms fix digital defenses, the document claims the agencies should keep up with Juniper technology to pursue signals intelligence, known as SIGINT.
Why Juniper Matters
The threat, according to the document, comes from Juniper’s emphasis on being a security leader. Juniper is “at the core” of the Internet in many nations, the document notes. As telecom companies move to all IP networks, Juniper will play a bigger role in converged networks.
If the SIGINT community lags, it could take years to regain a Juniper router access capability or firewall if Juniper rapidly grows its security.
The document sheds light on NSA’s secret attempts to make sure it can monitor information flowing through Juniper products, which are used by banks, Internet providers, government agencies and universities. Juniper is a technology at the Internet core in many nations, including some considered having high priority for spying: China, Pakistan and Yemen.
GCHP And NSA: No Comment
In response to requests for comment by Intercept, GCHP said the agency does not comment on intelligence matters and abides by a strict legal framework.
NSA did not respond to a request for comment on Tuesday.
Juniper, for its part, said it operates with the highest ethical standards and is committed to the security, integrity and quality of its products. The company said it does not intentionally have backdoors that can compromise its products or place customers at risk. It further said it does not work with other parties to add vulnerabilities to its products.
Two New Juniper Vulnerabilities
In last week’s announcement, Juniper reported having found “unauthorized code” in ScreenOS that allowed for two vulnerabilities. One vulnerability first emerged in an August 2012 release that can allow access to encrypted data sent over VPNs. The other vulnerability surfaced in a December 2014 release and enables an attacker to administer a firewall remotely, resulting in a full compromise of the device. These vulnerabilities existed in ScreenOS released through October of this year at least.
The first of these vulnerabilities can enable eavesdropping on VPNs, according to Intercept. This vulnerability has resulted in an online discussion among security professionals.
Matthew Green, a Johns Hopkins professor, and Ralf-Philipp Weinmann, a security researcher, said an attacker apparently subverted a backdoor shown from previously-disclosed Snowden documents to have come from NSA. It seems the attacker tampered with a 32-byte value that seeded generation of random numbers that are used to process encrypted ScreenOS data. ScreenOS uses the value as part of a system for Dual Elliptic Curve Deterministic Random Bit Generator, a random number generation.
The default 32-byte value is believed to be generated by NSA.
In the wake of the Snowden revelations on the standard, Juniper said it replaced the 32-byte value with its self-generated basis points. Hence, the attacker would have changed Juniper’s replacement of NSA’s 32-byte value.
2011 Concerns Not Tied To New Ones
The document indicates the 2011 capabilities against Juniper do not connect to the recently-uncovered vulnerabilities, according to Matt Blaze, director of the University of Pennsylvania’s Distributed Systems Lab and a cryptographic researcher. The 2011 assessment indicates reverse engineering could be needed depending on firmware revisions that impact targeted NetScreen firewall models.
The exploit capabilities in the 2011 document were consistent with “FEEDTROUGH,” a program revealed in 2007 in a document published next to a Der Spiegel article, Blaze said.
Intelligence agencies used the security holes identified in Juniper devices to penetrate them for surveillance repeatedly, the document notes. Juniper technology shared with NSA improved significantly in 2010 to exploit several targeted networks in which GCHQ had primary access.
A Complication And An Opportunity
Since Juniper is a U.S.-based firm, the assessment notes there is complication and opportunity in targeting the technology. There is potential to leverage a corporate relationship if one exists with NSA, the document states. GCHQ attempts to exploit Juniper have to start with close coordination with NSA, it adds.
GCHQ has an existing exploit capability against 13 Juniper models. All of the models run ScreenOS: ISG2000, ISG1000, SSG140, SSG20, SSG5, NS5000, NS5200, NS208, NS204, NS500, N25, and NS5gt.
The agency was developing another surveillance capability to hack the Juniper M320 routers designed for use by Internet providers.
The ability to exploit Juniper firewalls and servers will pay dividends for years, the document says.
Images from Shutterstock and Wikimedia.