Juniper Networks to ditch alleged NSA eavesdropping code

New security systems without the code will be shipped in first half of this year

Juniper Networks is dropping a piece of security code believed to have been developed by the US National Security Agency (NSA) for eavesdropping.

The company announced in December that it had found two backdoors in software that relies on Dual Elliptic Curve (Dual EC) technology, which appeared in 2012 and 2014.

Hovav Shacham, one of the researchers at the University of California, San Diego, who discovered the vulnerability, said the one introduced in 2014 was quite straightforward, according to Reuters.

However, the 2012 code altered the mathematical constant in the company's Netscreen products, allowing the creator to eavesdrop on communications, Shacham and his team claimed.

A separate curve constant, required for some federal contracts and provided by the NSA, was exposed in the documents released by whistleblower Edward Snowden to be the key to the backdoor.

Questions about DEC were raised back in 2007, but Juniper decided to use it anyway the following year. The company issued a patch back in December 2015, which reverted back to this 2008 code, however it is now set to remove the technology all together.

While no culprit has been officially named, Nicholas Weaver, from the International Computer Science Institute and UC Berkley, told Reuters that the NSA is a logical suspect for the development of the original 2008 backdoor, which may have been displaced in the 2012 and 2014 incidences by either top-level hackers or other countries' spy agencies.

In a blog post, Juniper Networks said: "After a detailed review, there is no evidence of any other unauthorised code in ScreenOS [the software used in Netscreen] nor have we found any evidence of unauthorised code in Junos OS [the primary Juniper OS]."

"After review of commentary from security researchers and through our own continued analysis, we have identified additional changed Juniper will make to ScreenOS," the company continued.

It then added: "We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed accross our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS oftware release, which will be made available in the first half of 2016.

"The investigation into the origin of the unauthorised code continues."

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now


NSA issues guidance on encrypted DNS usage
Domain Name System (DNS)

NSA issues guidance on encrypted DNS usage

15 Jan 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021