The fallout from the discovery of a “backdoor” in Juniper firewalls continues. Effectively, the vulnerability would allow attackers to decrypt traffic running through the virtual private network (VPN) on the company’s NetScreen firewalls.
Much of the focus – rightly – is on whether the backdoor was put there by the US intelligence services – and whether Juniper knew. The US Congress is to investigate, not least to discover if government agencies were impacted. The Pentagon has also been warning its defence contractors of the possible dangers.
This indicates the significance of the story for businesses: As this piece at WIRED points out, first, there is the issue that at least part of the vulnerability seems to be the work of sophisticated intelligence community hackers. (The British, Chinese, Israelis and US are all mentioned as suspects.) Regardless of the civil liberties concerns, such attacks and the resources behind them are hard for companies to defend against.
The second concern, however, is that this then opened the door for a wider vulnerability. Based on the patch deliver by Juniper in response to the news, one security firm was able to break the security in just six hours.
“We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor],” they told WIRED.
The problem is therefore not just that sophisticated government hackers are able to breach security measures (although the implication, since there were up to three backdoors, that more than one government could be involved is a worry); nor is it just the question over the extent to which Juniper was complicit in leaving the vulnerabilities in place – again, though, a key concern
Arguably the biggest concern is that government-backed agencies –perhaps aided by complicity of some IT suppliers – are unwittingly creating vulnerabilities that can be exploited by less sophisticated (and potentially more damaging) attackers.
As one former analyst at the British GCHQ put it, no backdoor is “bullet proof”. Or, to put it another way, “Whenever you build in access, you’re running a risk … that access will be misused.”
As many are pointing out, the Juniper debacle shows the danger of governments and security agencies pushing technology companies to put in access they can use to prevent criminals benefiting from encryption. It also should serve as a warning more widely that total security is increasingly a myth.