A common refrain amongst all the conversation about encryption the last few months has been the need for technical “backdoors” to be built into encryption and communications platforms that allow authorized law enforcement to intercept and monitor civilian communications. The argument goes that without such backdoors, criminal and terrorist actors will increasingly “go dark” using encryption to organize their activities and attacks. One commonly recommended solution is the weakening of encryption by inserting secret backdoors accessible only to law enforcement. In such a model all communications are encrypted to prevent criminal actors or foreign states from being able to listen to communications, but American law enforcement and their allies will be able to access such communications using a master decryption key.
Of course, the most immediate challenge to such arrangements is that they ignore the globalized state of encryption today and the fact that terror organizations are increasingly using foreign encryption systems that are beyond the reach of US legislation. It is unlikely for example that a Russian or Chinese encryption product would knowingly include a backdoor for the use of US intelligence services to be able to monitor their domestic citizens. More worryingly, the notion of who constitutes a “terrorist” or just what is defined as “illegal” content varies dramatically across the world.
As I noted last month, if the US were to mandate that backdoors be provided for US intelligence use in all communications hardware and software systems, from telecommunications equipment to social media sites, manufactured or headquartered in the US, every other country in the world would demand the same. Instead of a backdoor for only US use, China would certainly demand the ability to monitor US citizen communications in its country and abroad for counter terrorism purposes as well.
Yet, setting aside the globalization aspect, the recently discovered Juniper breach offers a powerful cautionary tale of the inadvertent dangers of backdoors in general. Much still remains unknown about the Juniper breach in terms of who constructed and inserted the backdoors and especially whether they were the work of the US Government or a foreign power, and whether they were all built by the same organization or different organizations building upon one another’s work.
What is known is that the NSA had certainly been hard at work building its own backdoors into Juniper products. A 2008 internal NSA catalog listed several exploits designed to provide interception backdoors into Juniper network equipment with the advertisement that the system “has been deployed on many target platforms.” Yet, the NSA system, called FEEDTHROUGH, is described as a firmware implant, whereas the current disclosures relate to modifications of the operating system itself, making them available on every affected Juniper system in the world.
The Intercept describes ongoing collaborations between the NSA and GCHQ specifically focused on vulnerabilities and backdoor capabilities for the Juniper product line, clustering around the same capabilities and models affected by the currently disclosed vulnerabilities. This has led to speculation that the recently discovered vulnerabilities were the product of an enterprising third party who extended and built upon earlier backdoor weaknesses inserted by the NSA. This is bolstered by the relevant difficulty of detecting the primary backdoor, while the hardcoded administrative password is readily locatable.
Perhaps most frighteningly, Juniper itself notes that “a skilled attacker would likely remove [unauthorized login] entries from the log file, thus effectively eliminating any reliable signature that the device had been compromised … there is [therefore] no way to detect that this vulnerability was exploited.” Put another way, for most companies and other organizations, there is simply no way to go back to see whether anyone has actually exploited these vulnerabilities to penetrate their networks or monitor their VPN traffic.
The fact that these vulnerabilities were inserted several years ago and were only just detected also reinforces the dangers inherent in the incredible complexity of modern systems. It took just 145,000 lines of code for the Apollo 11 computer that put humans on the moon, while a modern smartphone is powered by 12 million lines and today’s cars can have 100 million or more lines of code. The Windows operating system is estimated at 50 million lines of code developed over more than 30 years, while Google’s infrastructure is believed to exceed 2 billion lines of code today. With such massive systems it becomes easier and easier for vulnerabilities and malicious code to be inserted and remain undetected for years.
The US Government has strenuously denied that it had any involvement in creating or distributing the current vulnerabilities, with officials commenting that it has been scrambling to determine the potential dangers to its own networks. If it is in fact the case that the US Government was caught entirely unaware and if, as some suspect, the vulnerability was built upon earlier weaknesses developed by the NSA, it offers a cautionary tale in how the backdoors and vulnerabilities we build to monitor the rest of the world can come back to haunt us in the end.
Originally published at www.forbes.com/sites/kalevleetaru/2016/01/02/what-the-juniper-breach-teaches-us-about-the-domestic-dangers-of-backdoors/