Congress asks Juniper for the results of its 2015 NSA backdoor investigation

A group of 13 US government officials has sent an open letter today to networking equipment vendor Juniper Networks, asking the company to publish the results of its internal investigation into the origins of a suspected NSA backdoor mechanism discovered in its firewall products in late 2015.

“It has now been over four years since Juniper announced it was conducting an investigation, but your company has still not revealed what, if anything, it uncovered,” the group wrote.

The group is seeking answers about what happened at Juniper behind closed doors and what made the company skip on publishing a public report, as it initially promised.

Their inquiry and letter come amid actions from Attorney General William Barr and other senior US government officials who’ve been seeking to pressure US technology companies to weaken their encryption and assist US government surveillance efforts.

“Juniper’s experiences can provide a valuable case study about the dangers of backdoors, as well as the apparent ease with which government backdoors can be covertly subverted by a sophisticated actor,” the US officials said.

Recap of the 2015 Juniper-NSA backdoor scandal

Details about a backdoor in Juniper products first came to light in December 2015. Members of the cyber-security community discovered what looked like a change of a secret access key inside the source code of ScreenOS, an operating system running on NetScreen, Juniper’s line of firewall and VPN products.

Following public pressure, Juniper later admitted that “unauthorized code” made its way into the ScreenOS source code, and that the unauthorized code could have allowed attackers to take over devices and decrypt VPN traffic.

While Juniper initially shied away from providing any details, members of the public cyber-security community later discovered that the unauthorized code referred to the use of Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) algorithm as the random number generator (RNG) component inside ScreenOS.

Dual_EC_DRBG is a lesser-known algorithm that was developed by the US National Security Agency (NSA) in 2006 and which received almost an immediate FIPS (Federal Information Processing Standards) certification despite some security experts warning that initial audits revealed signs of a potential backdoor mechanism.

However, despite criticism, Dual_EC_DRBG remained certified until 2013, until the Edward Snowden revelations, when the US National Institute of Standards and Technology (NIST) intervened to withdraw its FIPS certification.

But investigators discovered that Juniper quietly added support for Dual_EC_DRBG in 2008, and did not publicly disclose it in any subsequent audits and promotional material.

It was only after members of the public discovered that an unknown individual changed an access key associated with the Dual_EC_DRBG algorithm that Juniper admitted to the issue and promised to investigate the unauthorized code. But the company never published any in-depth report on the matter, despite the severity of the original accusations levied against it.

Now, the group of US officials wants answers. They want to know:

• Why didn’t Juniper publicly disclose that it was using Dual_EC_DRBG, as the company usually did with all the FIPS-certified algorithms?
• If the company was aware of the potential backdoor mechanism in Dual_EC_DRBG?
• Who were the Juniper employees who approved the addition and subsequent changes made in relation to the Dual_EC_DRBG?
• Who led the company’s investigation?
• What were the results of the investigation and if a written report was put together?
• If the report made any recommendations and if the company implemented any of them?

The group requested that Juniper provide answers to these questions by July 10, this year.

“The American people – and the companies and U.S. government agencies that trusted Juniper’s products with their sensitive data – still have no information about why Juniper quietly added an NSA-designed, likely-backdoored encryption algorithm, or how, years later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of U.S. national security,” they said.