News

Juniper Still Hasn’t Removed Backdoor Vulnerability from Its Software

Last month, Juniper Networks – a company that supplies security software to the likes of AT&T, Verizon, NATO, and the US Government – reported that it had found what it described as “unauthorised code” – effectively a backdoor – in its NetScreen firewall software, through which it was possible for a third-party to decrypt data sent through it using an encrypted VPN (Virtual Private Network), and that had existed since at least 2012.

Now, Wired reports that Juniper has fallen silent on the matter, refusing to discuss an insecure encryption algorithm within the software that essentially allowed the backdoor to be inserted. Juniper refuses to explain why Dual_EC, a pseudo-random number generator, was included in NetScreen, or why it still exists within the software even after the backdoor revelation.

Stephen Checkoway, a Computer Science lecturer from the University of Chicago, discovered that Juniper knowingly added the insecure Dual_EC to its software, despite having a more secure ANSI algorithm in place. Dual_EC was added to NetScreen version 6.2.0 in either 2008 or 2009, while the vulnerabilities in Dual_EC were revealed in 2007.

Even more explicably, Juniper then changed the nonce (random number string) size within the algorithm, from 20 bytes to 32 bytes. 32 bytes was the optimal size for exploitation by hackers, according to the data revealed in 2007.

“The more output you see [from the generator], the better [it is to crack the encryption],” Checkoway said. “Anything you see over 30 bytes is very helpful. Anything you see less than 30 bytes makes the attack exponentially harder. So seeing 20 bytes makes the attack basically infeasible. Seeing 28 bytes makes it doable, but it takes an amount of time, maybe hours. Seeing 32 bytes makes it take fractions of a second.”

While it was Juniper that revealed the existence of this backdoor, it seems that it facilitated its creation, and has done nothing to fix it since.

Ashley Allen

Disqus Comments Loading...

Recent Posts

BenQ MOBIUZ EX2710Q 27″ QHD 165Hz 1ms, HDRi IPS Gaming Monitor

SpeakersSpeakersYesSpeaker amount and power output2x 2 WattDimensionsLength / Depth252.5 mmWidth614 mmHeight525.8 mmWeight7.4 kgStandards / SpecificationsAdaptive…

3 hours ago

Intel Core i7-12700KF 3.60GHz Socket LGA1700 Processor

Thermal SpecificationsMax. TDP125 WCPUCPU ManufacturerIntelCPU SeriesIntel Core i7CPU Socket1700CPU ArchitectureIntel Alder Lake-SCPU Cores12CPU Threads20Performance Cores8Efficiency…

3 hours ago

AOC 24B3HA2 24″ 1920×1080 VA 100Hz 1m Widescreen LED Multimedia Monitor 

AOC 24B3HA2 23.6 1920x1080 VA 100Hz 1m Widescreen LED Multimedia Monitor - Black High-performance clarity…

3 hours ago

Corsair Hydro Series iCUE Link H115i RGB Performance Liquid CPU Cooler

Fan SpecificationsFan Size140 mmColourPrimary ColourBlackSecondary ColourWhiteMaterialsMaterialsAluminium, Copper, RubberLightingLightingYesLighting ColourRGBLighting CompatibilityCorsair iCUEAdditional ContentsIncluded fans2x 140 mmTypeCPU…

3 hours ago

Philips Evnia 34″ 34M2C6500/00 3440×1440 QD-OLED 175Hz 1ms FreeSync Curved Ultrawide Gaming Monitor

This monitor is built with features that make incredible visuals. With VESA ClearMR 9000 and…

3 hours ago

Asus Radeon RX 7900 XTX TUF OC 24GB GDDR6 PCI-Express Graphics Card

The AMD RDNA™ 3 Architecture elevated by buffed cooling and power delivery to effortlessly churn…

3 hours ago