Juniper Devices Are Under AttackCrypto Backdoor Leaves Banks, Businesses, Government Agencies at Risk
Devices sold by Juniper Networks are being actively targeted by attackers using a hardcoded password in the technology giant's ScreenOS firmware that researchers publicly revealed on Dec. 20 (see Who Backdoored Juniper's Code?).
See Also: Rethinking Response
The attacks follow Juniper first warning Dec. 17 that it had discovered "unauthorized code" that introduced two vulnerabilities into ScreenOS - a crypto flaw dating from 2012, and a hardcoded password dating from 2013. The firmware is used to run Juniper devices designed to provide firewalls and virtual public networks. And the vulnerabilities - patched Dec. 17 by Juniper - are a concern because numerous industries, including government agencies and the financial services sector, rely on Juniper devices for network defense.
Security experts recommend that any organization that uses affected Juniper devices drop everything and patch the vulnerable devices immediately. "The 'backdoor' password is now known, and exploitation is trivial at this point," says Johannes Ullrich, dean of research for the SANS Institute, in a blog post. "Addressing this issue today is critical."
Attackers are already gunning for the hardcoded password. "We do continue to see an increasing trend in login attempts to our [SSH] honeypot using the backdoor password," Ullrich says. "We do not know what the attackers are up to, but some of the attacks appear to be 'manual' in that we do see the attacker trying different commands."
Who Backdoored the Backdoor?
Juniper first warned Dec. 17 that an internal code review discovered "unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices" via SSH or telnet. The vulnerability has been designated as CVE-2015-7755. And Juniper also warned that a separate flaw - CVE-2015-7756, which predates the first - could potentially "allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic."
The backdoor-password flaw is straightforward: it can be used to give attackers access to vulnerable devices. But security experts and cryptographers are still attempting to unravel the implications of the VPN flaw, which Ralf-Philipp Weinmann, a research associate at the Interdisciplinary Center for Security, Reliability and Trust at the University of Luxembourg, says appears to have been the basis for a "backdoored backdoor."
By that, he means that one attacker appears to have added the VPN crypto vulnerability in the firmware. Subsequently, the hardcoded password appeared in the firmware, and could have been added by the same attack group, or a different one. In the latter - hypothetical - scenario, for example, the NSA could have added the VPN vulnerability, and a Russian intelligence agency might have added the backdoor password to make it easier to exploit the VPN flaw.
Can VPN Flaw Decrypt Historical Traffic?
Ullrich says it's not yet clear whether the VPN vulnerability must be exploited in real time, or if attackers could simply intercept and store the traffic - perhaps in the victim's own network - and decrypt it at a future date. "The reason that makes a difference is that an attacker may already have recorded traffic out of your network, that they exfiltrated years ago. They could now go back and decrypt that traffic," he says.
The Juniper software flaws could allow attackers to decrypt previously intercepted communications, warns Johannes Ullrich from the SANS Institute.
Danger: Weak Random-Number Generator
Analyzing the ScreenOS firmware, multiple cryptographers report that one problem with the VPN technology is that Juniper has been employing the random-number generator called Dual-EC. And they have been at a loss to explain why, since many security experts believe that the U.S. National Security Agency designed Dual-EC so that it could provide the agency with backdoor access, by generating numbers that weren't random enough.
"Pretty much every cryptographic system depends on a secure random number generator," John Hopkins University cryptographer Matthew Green says in a blog post. "These algorithms produce the unpredictable random bits that are consumed by cryptographic protocols. The key word in this description is unpredictable: if an attacker can predict the output of your RNG, then virtually everything you build on it will end up broken." That includes VPNs, which are designed to encrypt communications from one side of a VPN connection to another, for example between banks or government agencies.
"If an attacker can predict the output of the [pseudo random-number generator] then they can know the keys that one or both sides of a VPN connection will choose, and decrypt it," says Adam Langley, a Google senior staff software engineer, in a blog post.
Juniper is an Intelligence Target
Many security experts have noted that they have seen no evidence yet that documents who might have added the backdoors to Juniper's code. The NSA is an obvious potential culprit. Then again, anyone might have hacked into a Juniper developer's workstation and added code commits to the source code repository without their knowledge.
But many security experts do suspect that one or more intelligence agencies were involved. "The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency like the British, the U.S., the Chinese, or the Israelis," Nicholas Weaver, a researcher at the International Computer Science Institute and the University of California at Berkeley, tells Wired.
While it's no smoking gun, the Intercept on Dec. 23 published a document - labeled "top secret" and dated February 2011 - revealing that Britain's GCHQ intelligence agency "has exploit capabilities against" 13 different Juniper NetScreen firewalls. GCHQ is Britain's sister agency to the NSA. Given that Juniper is a U.S.-based company, "any GCHQ efforts to exploit Juniper must begin with close coordination with NSA," the document warns, although details no related plans. It also advocates undertaking "an effort to ensure exploitation capability" against future Juniper devices and firmware versions.
The Intercept says the document was written by an NSA analyst who was working with a GCHQ team, and provided to it by NSA whistleblower Edward Snowden. GCHQ declined to comment on the story, while the NSA did not immediately respond to a request for comment.
The document apparently shows that GCHQ was interested in exploiting targets' Juniper firewalls and VPNs. But cryptographer Matt Blaze, director of the Distributed Systems Lab at the University of Pennsylvania, says the documented capabilities do not appear to relate to the ScreenOS backdoor that first appeared in the August 2012 release of Juniper's ScreenOS firmware. "My guess from reading this is that the capabilities discussed here involved exploiting bugs and maybe supply chain attacks, rather than this [recently discovered] backdoor," he tells the Intercept.
Why Crypto Backdoors Are Bad
One upside to the Juniper flaws is that they show why attempting to add backdoors to products can weaken security for everyone, says the operational security expert known as The Grugq.
Shout out to the unknown threat actor that demonstrated the problem with backdoors. You're the real hero!ï¿½ the grugq (@thegrugq) December 22, 2015
Green from Johns Hopkins says he hopes that message doesn't get lost on policymakers. "For the past several months I've been running around with various groups of technologists, doing everything I can to convince important people that ... the sky will fall if they act on some of the very bad, terrible ideas that are currently bouncing around Washington - namely, that our encryption systems should come equipped with 'backdoors' intended to allow law enforcement and national security agencies to access our communications," he says.
.@stewartbaker Backdoors are a beautiful target for attackers because they do most of the attacker's work for them. It will happen again.ï¿½ Matthew Green (@matthew_d_green) December 22, 2015
The Juniper vulnerabilities have now demonstrated exactly how encryption backdoors could be subverted by people with malicious intent. "A backdoor intended for law enforcement could somehow become a backdoor for people who we don't trust to read our messages," he says. "Normally when we talk about this, we're concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that."