The extent to which government opposition to, and willingness to undermine, encryption can dramatically backfire and make all of us less safe may just have been vividly demonstrated in the United States.
Last week, Juniper Networks revealed that it had discovered “unauthorised code” that affected the firewalls the company provides via its NetScreen products. The unauthorised code “could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections”.
On the positive side, Juniper deserves credit for publicly revealing the problem. On the negative side, NetScreen is used not merely by large corporations but, according to one outlet, US government agencies like the Pentagon, the US Treasury, the Justice Department. That is, the very heart of the US security and economic establishment. CNN quoted a government source as saying it was akin to “stealing a master key to get into any government building”, which may be overstating the compromise but nonetheless indicates the magnitude of concerns.
The compromise is evidently highly sophisticated, which raises suspicions state actors are involved — which means China is reflexively invoked as the source.
But how was the “unauthorised code” smuggled into NetScreen products? That’s a technically highly complex question (if you’re game, you can try this explainer) but a working hypothesis is that a flawed random number generator (RNG) was used to enable access — the RNG being a product designed by the National Security Agency. We know, from the Edward Snowden documents, it was “backdoored” by the NSA and the United Kingdom’s GCHQ in order to enable those agencies to break into encrypted systems that use that type of RNG. In fact, it’s well established that the NSA has penetrated Juniper’s security systems, although Juniper denies it has ever colluded with US government agencies.
Two years ago we also learnt that Belgian telco Belgacom had been successfully broken into by GCHQ in order to gain access to the company’s VPN links. Belgacom, it seems, uses Juniper products.
It’s thus likely that the NSA and GCHQ are responsible for enabling access to Juniper’s products — and possibly for the “unauthorised code” that’s been inserted. It’s also possible another state actor has exploited the backdoor already created by NSA as part of its war on encryption to insert the code.
If the latter is the case, and the NSA’s own backdoor has been used to enable a massive breach of US government security, it would not merely be particularly ironic but a vivid demonstration of what so many security experts have been saying for so long — that undermining encryption ultimately makes us all less safe, that once you create an encryption backdoor others can use it just like you.
Is this an argument for only using open source software?
Utterly irresponsible and a compelling argument against giving ~anyone~ backdoor access to security. I only hope that our government (sitting and opposition) are listening and learn.
Is this an argument for only using open source software?
Not really. The flawed RNG mentioned, for example, was integrated into a number of open source projects. The truth is that security software development is complex and difficult no matter who is doing it.
>>The flawed RNG mentioned,
I suggest that is the usual technique of having a layered story to defend the actual asset.