Juniper Networks to ditch alleged NSA eavesdropping code

News
11 Jan, 2016

New security systems without the code will be shipped in first half of this year

Juniper Networks is dropping a piece of security code believed to have been developed by the US National Security Agency (NSA) for eavesdropping.

The company announced in December that it had found two backdoors in software that relies on Dual Elliptic Curve (Dual EC) technology, which appeared in 2012 and 2014.

Hovav Shacham, one of the researchers at the University of California, San Diego, who discovered the vulnerability, said the one introduced in 2014 was quite straightforward, according to Reuters.

However, the 2012 code altered the mathematical constant in the company's Netscreen products, allowing the creator to eavesdrop on communications, Shacham and his team claimed.

A separate curve constant, required for some federal contracts and provided by the NSA, was exposed in the documents released by whistleblower Edward Snowden to be the key to the backdoor.

Questions about DEC were raised back in 2007, but Juniper decided to use it anyway the following year. The company issued a patch back in December 2015, which reverted back to this 2008 code, however it is now set to remove the technology all together.

While no culprit has been officially named, Nicholas Weaver, from the International Computer Science Institute and UC Berkley, toldĀ Reuters that the NSA is a logical suspect for the development of the original 2008 backdoor, which may have been displaced in the 2012 and 2014 incidences by either top-level hackers or other countries' spy agencies.

In a blog post, Juniper Networks said: "After a detailed review, there is no evidence of any other unauthorised code in ScreenOS [the software used in Netscreen] nor have we found any evidence of unauthorised code in Junos OS [the primary Juniper OS]."

"After review of commentary from security researchers and through our own continued analysis, we have identified additional changed Juniper will make to ScreenOS," the company continued.

It then added: "We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed accross our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS oftware release, which will be made available in the first half of 2016.

"The investigation into the origin of the unauthorised code continues."