In the post Edward Snowden era, the internet security industry has boomed. Companies like Juniper Networks have taken advantage of this, and offer network security software, as well as routers and firewalls. According to a post made on their blog, Juniper states they did an internal code review, and found “unauthorized code” in their ScreenOS operating system. ScreenOS is the software used to manage firewall devices made by the company.
The code in question allows VPN traffic to be decrypted. After finding it, Juniper launched an investigation, released a patch, and recommended that everyone update their systems with the highest priority. As opposed to just being a piece of inadvertent coding, it seems to have been deliberately placed in the software at some point. Other sources say that the company is unsure how the code got there, and it has been in place since at least 2012. Though they say there have been no violations and that this is just a precaution, that is the type of response we would expect.
Whereas some people may believe this statement, others may struggle with the message. It is difficult to believe that this coding “magically appeared” there, and stayed there for at least 4 years. It is safe to say that the NSA was at least partially responsible. Interestingly, Juniper’s timing appears to be off by a small amount. For the second largest security device manufacturer in the world to find this breach now, suggests a bigger issue.
Almost exactly 2 years ago, the international news site Der Speigel wrote an article about a leaked NSA toolkit catalog. In this article, they specifically mention Juniper, and some of the products affected. The question is, if you were the Chief Technology Officer (CTO) at Juniper Networks, and you became aware of this catalog, wouldn’t you review your coding and fix any issues immediately instead of waiting 2 years to announce it? Would you have the level of surprise that they are displaying?
Ultimately, if the NSA can create a backdoor like this, other hackers can exploit it. With their statement of nobody being affected, Juniper is either not revealing the real data, or that have been extremely fortunate. Levels of trust get questioned when a company that is supposedly dedicated to security has it’s own security flaws. Again, if you around these devices, make sure they get updated to the latest version before any more damage can be done.