NSA faces congressional probe over Juniper back door vulnerability
US lawmakers have launched an investigation following the discovery of unauthorized code in firewall software from Juniper Networks. The probe will examine the possibility that the software was altered by the National Security Agency.
Juniper warned its customers in December that a review of the code in their ScreenOS firewalls revealed an unauthorized “back door” into the software. The vulnerability was quickly patched, but questions about who inserted the illicit code remained unanswered.
Representative Will Hurd (R-Texas), who heads the technology subcommittee on the House Committee on Oversight and Government Reform, initially investigated the breach over worries that government agencies ‒ many of which use Juniper products ‒ may have been compromised.
However, Hurd told Reuters on Thursday that the committee would also investigate the origins of the attack to find if any intelligence agency such as the NSA played a role. Back doors were first linked to NSA because of the similarity of the technique used in the vulnerability’s code.
The random number generator used in the code is called a Dual Elliptic Curve, which is a signature technique of the NSA. Juniper has said that it will remove the technique entirely in future versions of its software.
If the NSA was indeed behind the vulnerability, then the discussion around policy should change, the congressman told Reuters.
"How do we understand the vulnerabilities that created this problem and ensure this kind of thing doesn't happen in the future?" Hurd said. "I don't think the government should be requesting anything that weakens the security of anything that is used by the federal government or American businesses."
Top US intelligence and law enforcement officials have long asked for a “golden key” back door to be installed on all hardware in the country in order bypass encryption under pretenses of national security concerns.
Silicon Valley companies are fiercely opposed to putting their customer data at risk in such a way, arguing that any master back door could be exploited by cyber criminals and foreign intelligence agencies.
“If the government lays a proper warrant on us today, then we will give the specific information that is requested, because we have to by law. In the case of encrypted information, we don’t have it to give,” Apple CEO Tim Cook said on ‘60 Minutes’ in December.
“If there’s a way to get in, then somebody will find a way to get in,” Cook continued. “There have been people that suggest that we should have a back door. But the reality is, if you put a back door in, that back door’s for everybody.”
Juniper discovered the unauthorized VPN-breaking code in December. It would give the attacker who infected the systems the ability to read email sent over connections that would appear secure. It’s unclear how the code entered Juniper’s systems to begin with.