Who Hid a Secret Back Door in Juniper’s Security Gear?

Has Juniper lost control of the operating systems running its security gear?

That’s the question everyone’s asking after the company disclosed that someone inserted code into the operating system of its Netscreen firewall and virtual private network products that would give an attacker the ability to capture and decrypt connections that are supposed to be secure.

Juniper said in a security disclosure issued last night that it discovered the rogue add-on during a routine review of its internal software code. Someone, somehow, inserted the renegade code, essentially creating a secret back door into Juniper’s products — a back door that only someone in the know would be able to use. Secret, that is, until now.

Firewalls protect corporate networks from outside attackers. And VPNs — or virtual private networks — are a mainstay of corporate IT environments. Companies and governments often require their use for employees when they travel or log in to office networks from home. VPNs create encrypted tunnels that shield a user’s connection while they’re on public networks like hotel Wi-Fi. Juniper’s operating system for its VPN and firewall products is called ScreenOS. The break-in means that the very thing meant to protect you has been compromised.

Juniper said nothing about who it suspects is responsible for the code (in theory, it should have some records of the changes occurring). But there are some enticing and as yet inconclusive hints about who might have done it.

One important tell here is that the back doors were found during a code review. Auditing software code for security vulnerabilities is in fashion these days, so I reached out to someone who knows a lot about that: Chris Wysopal is the CTO of Veracode, which offers a cloud-based service for scanning code for weaknesses.

“For code as critical as an OS, it is standard industry practice to have two sets of eyes on any code change,” he said by email. “Juniper should have a record of who this was. If they don’t know who this was, then they have lost control of the integrity of their OS.”

Wysopal’s observation pretty much gets to the heart of the matter. If Juniper doesn’t have a record of who changed its code, then how can it know that its code isn’t being changed by unauthorized parties all the time? I’ve asked Juniper to respond to that question and haven’t yet heard back.

The company says in its disclosure that four versions of ScreenOS are affected and require updates with patched versions of the software issued yesterday.

Also unclear is how the rogue code was inserted in the first place. Did the parties responsible carry out some kind of break-in committed against Juniper’s internal systems? Or was it someone working internally on behalf of the attackers? There’s a wide range of plausible scenarios, about which Juniper’s disclosure thus far offers no clues.

This brings us back to a short list of possible suspects. The biggest one is the U.S. National Security Agency. Among the documents leaked from the NSA by way of the whistleblower Edward Snowden and first disclosed by the German magazine Der Speigel was this: Feedthrough. It’s described in a catalog of devices and software used by an NSA division called ANT as a “persistence technique for two software implants … used against Juniper Netscreen Firewalls.”

Juniper’s disclosures describe two bits of inserted code. One allows an attacker aware of the inserted code to remotely access the hardware using common remote access tools. The second allows the attacker to “monitor and decrypt the traffic.” It sure sounds a lot like what’s described in the Feedthrough document.

There’s also no evidence, Juniper says in its disclosure documents, that anyone used the back door, but it seems like the sort of thing that would be impossible to know.

Juniper shareholders don’t seem bothered by the news: Juniper shares fell six cents to $29.05 by mid-morning, down only slightly. Security products amounted to about $464 million in sales during its 2014 fiscal year, or approximately 10 percent of its overall business.

This article originally appeared on Recode.net.