NSA Helped UK Spies Find Juniper's Security Holes

A Top Secret document dated February 2011 reveals that British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks, a leading provider of networking and Internet security gear.

The six-page document, titled “Assessment of Intelligence Opportunity – Juniper,” raises questions about whether the intelligence agencies were responsible for or culpable in the creation of security holes disclosed by Juniper last week. While it does not establish a certain link between GCHQ, NSA, and the Juniper hacks, it does make clear that, like the unidentified parties behind those hacks, the agencies found ways to penetrate the “NetScreen” line of security products, which help companies create online firewalls and virtual private networks, or VPNs. It further indicates that, also like the hackers, GCHQ’s capabilities clustered around an operating system called “ScreenOS,” which powers only a subset of products sold by Juniper, including the NetScreen line. Juniper’s other products, which include high-volume Internet routers, run a different operating system called JUNOS.

The possibility of links between the security holes and the intelligence agencies is particularly important given an ongoing debate in the U.S. and the UK over whether governments should have backdoors allowing access to encrypted data. Cryptographers and security researchers have raised the possibility that one of the newly discovered Juniper vulnerabilities stemmed from an encryption backdoor engineered by the NSA and co-opted by someone else. Meanwhile, U.S. officials are reviewing how the Juniper hacks could affect their own networks, putting them in the awkward position of scrambling to shore up their own encryption even as they criticize the growing use of encryption by others.

The author of the 2011 GCHQ document, an NSA employee who was working with GCHQ as part of an “Access Strategy Team,” takes a similarly adversarial view of encryption, referring to Juniper as a “threat” and a “target” because it provides technology to protect data from eavesdropping. Far from suggesting that security agencies should help U.S. and U.K. companies mend their digital defenses, the document says the agencies must “keep up with Juniper technology” in the pursuit of SIGINT, or signals intelligence.

“The threat comes from Juniper’s investment and emphasis on being a security leader,” the document says. “If the SIGINT community falls behind, it might take years to regain a Juniper firewall or router access capability if Juniper continues to rapidly increase their security.”

The document, provided by NSA whistleblower Edward Snowden, shines light on the agencies’ secret efforts to ensure they could monitor information as it flowed through Juniper’s products, which are used by Internet providers, banks, universities, and government agencies. It notes that while Juniper trails its competitors, it is a “technology leader” with gear “at the core of the Internet in many countries,” including several deemed to be high priority from a spying perspective: Pakistan, Yemen, and China.

Asked about the document, GCHQ issued a boilerplate response asserting that the agency does not comment on intelligence matters and complies with “a strict legal and policy framework.” The NSA could not immediately respond Tuesday. Juniper sent a written statement saying the company “operates with the highest of ethical standards, and is committed to maintaining the integrity, security, and quality of our products. As we’ve stated previously … it is against established Juniper policy to intentionally include ‘backdoors’ that would potentially compromise our products or put our customers at risk. Moreover, it is Juniper policy not to work with others to introduce vulnerabilities into our products.”

Juniper’s prominence and ubiquity similarly helped draw attention to the more recent hacks against the company, which first came to light Thursday, when the California firm revealed it had discovered “unauthorized code” in ScreenOS enabling two major vulnerabilities. One, first present in an August 2012 release of ScreenOS, could allow access to encrypted data transmitted over VPNs. The other, first surfacing in a December 2014 ScreenOS release, allows an attacker to remotely administer a firewall, thus leading to “complete compromise of the affected device,” according to Juniper. The vulnerabilities remained in versions of ScreenOS released through at least October of this year.

It is the earlier vulnerability, potentially allowing eavesdropping on VPNs, that has generated vigorous online discussion among computer security experts. Some, like Johns Hopkins professor Matthew Green and security researcher Ralf-Philipp Weinmann, have said that an attacker appears to have subverted a backdoor shown, in previously disclosed documents from Snowden, to have originated with the NSA. Specifically, the attacker seems to have tampered with a 32-byte value used to seed the generation of random numbers, numbers that are in turn used in the process of encrypting data in ScreenOS. ScreenOS uses the value as a parameter to a standard system for random number generation known as Dual Elliptic Curve Deterministic Random Bit Generator. The default 32-byte value in this standard is believed to have been generated by the NSA. Juniper said, in the wake of the Snowden revelations about the standard, that it had replaced this 32-byte value with its own “self-generated basis points.” So the attacker would have replaced Juniper’s replacement of the NSA 32-byte value.

Matt Blaze, a cryptographic researcher and director of the Distributed Systems Lab at the University of Pennsylvania, said the document contains clues that indicate the 2011 capabilities against Juniper are not connected to the recently discovered vulnerabilities. The 2011 assessment notes that “some reverse engineering may be required depending on firmware revisions” affecting targeted NetScreen firewall models. Blaze said this points away from the sort of ScreenOS compromise behind the more recent Juniper vulnerabilities.

“With the [recently discovered] backdoor, a firmware revision would either have the backdoor or it wouldn’t, and if it was removed, they’d have to do a lot more than ‘some reverse engineering’ to recover the capability,” Blaze said. “My guess from reading this is that the capabilities discussed here involved exploiting bugs and maybe supply chain attacks, rather than this [recently discovered] backdoor.”

Blaze said the exploit capabilities in the 2011 document seem consistent with a program called “FEEDTROUGH,” first revealed in a 2007 document published alongside an article in German newsweekly Der Spiegel.

Even if it outlines capabilities unconnected to the recently discovered Juniper hacks, the 2011 GCHQ assessment makes clear that the author was interested in expanding the agencies’ capabilities against Juniper. “The vast majority of current Juniper exploits are against firewalls running the ScreenOS operating system,” the author wrote. “An effort to ensure exploitation capability” against Juniper’s primary operating system, JUNOS, “should bear fruit against a wide range of Juniper products.”

The document suggests that the intelligence agencies successfully used the security holes they identified in Juniper’s devices to repeatedly penetrate them for surveillance, stating that “Juniper technology sharing with NSA improved dramatically during [calendar year] 2010 to exploit several target networks where GCHQ had access primacy.”

The assessment also notes that, because Juniper is a US-based company, there is both “opportunity and complication” in targeting its technology. “There is potential to leverage a corporate relationship should one exist with NSA,” it says, adding: “Any GCHQ efforts to exploit Juniper must begin with close coordination with NSA.”

It further states that GCHQ has a “current exploit capability” against 13 Juniper models, all of which run ScreenOS: NS5gt, N25, NS50, NS500, NS204, NS208, NS5200, NS5000, SSG5, SSG20, SSG140, ISG 1000, ISG 2000. It reveals that the agency was developing an additional surveillance capability to hack into high-capacity Juniper M320 routers, which were designed to be used by Internet service providers.

“The ability to exploit Juniper servers and firewalls,” the document says, “will pay many dividends over the years.”

The Intercept:http://http://bit.ly/1Sc2K9b

 

« US Agencies Freak Out Over Juniper Backdoor
Apple Opens Fire In Encryption Battle »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Centre - University of Hertfordshire

Cyber Security Centre - University of Hertfordshire

The Cyber Security Centre provides training, teaching and research in the fast paced topics of cyber security and digital forensics.

ZM CIRT

ZM CIRT

ZM CIRT is the national Computer Incident Response Team for Zambia.

IABG

IABG

IABG offer independent, product-neutral consulting as well as technical and scientific services for the use of safety-relevant systems and technologies.

NuData Security

NuData Security

NuData Security, A Mastercard Company, is an award winning behavioral biometrics company.

Computest

Computest

Computest security testing services include Mobile app security, Vulnerability assessments, Attack & penetration testing, Security awareness training, Network security assessments.

Miradore

Miradore

Miradore is a software company specializing in effective, cloud-based device management. Our goal is to help IT Service Providers and IT departments secure and control devices.

TechRate

TechRate

Techrate is an analytics agency focused on blockchain technology and engineering. Or expertise includes security and technical audits of projects.

Yellow Brand Protection

Yellow Brand Protection

Yellow Brand Protection operates 24/7 to protect brands' Intellectual Property (IP) from infringements on all kinds of online distribution channels.

N8 Identity

N8 Identity

N8 Identity helps organizations realize the vision of Autonomous Identity Governance™ with AI-driven Identity solutions.

Cybeta

Cybeta

Cybeta's actionable cybersecurity intelligence keeps your business safe with strategic and operational security recommendations that prevent breaches.

Data#3 Limited (DTL)

Data#3 Limited (DTL)

Data#3 Limited (DTL) is a leading Australian IT services and solutions provider.

Digitale Gründerinitiative Oberpfalz (DGO)

Digitale Gründerinitiative Oberpfalz (DGO)

Digital Founder Initiative Oberpfalz's goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

11:11 Systems

11:11 Systems

11:11 Systems synchronizes every aspect of network services for your business. Build your network with the industry’s most trusted expert skills.

Zeta Sky

Zeta Sky

Zeta Sky offers a full range of IT and cyber-security services for your business.

IT Voice

IT Voice

IT Voice specializes in Managed IT and VoIP solutions. Our focus is simplifying the technology so our customers can stay focused on what they do best.

CorePLUS Technologies

CorePLUS Technologies

CorePlus solutions are designed to empower organizations with the tools they need to ensure the utmost protection for their assets, people, and information.