If a Close US Ally Backdoored Juniper, Would NSA Tell Congress?

You may have heard that Juniper Networks announced what amounts to a backdoor in its virtual private networks products. Here’s Kim Zetter’s accessible intro of what security researchers have learned so far. And here’s some technical background from Matthew Green.

As Zetter summarizes, the short story is that some used weaknesses encouraged by NSA to backdoor the security product protecting a lot of American businesses.

They did this by exploiting weaknesses the NSA allegedly placed in a government-approved encryption algorithm known as Dual_EC, a pseudo-random number generator that Juniper uses to encrypt traffic passing through the VPN in its NetScreen firewalls. But in addition to these inherent weaknesses, the attackers also relied on a mistake Juniper apparently made in configuring the VPN encryption scheme in its NetScreen devices, according to Weinmann and other cryptographers who examined the issue. This made it possible for the culprits to pull off their attack.

As Green describes, the key events probably happened at least as early as 2007 and 2012 (contrary to the presumption of surveillance hawk Stewart Baker looking to scapegoat those calling for more security). Which means this can’t be a response to the Snowden document strongly suggesting the NSA had pushed those weaknesses in Dual_EC.

I find that particularly interesting, because it suggests whoever did this either used public discussions about the weakness of Dual_EC, dating to 2007, to identify and exploit this weakness, or figured out what (it is presumed) the NSA was up to. That suggests two likely culprits for what has been assumed to be a state actor behind this: Israel (because it knows so much about NSA from having partnered on things like StuxNet) or Russia (which was getting records on the FiveEyes’ SIGINT activities from its Canadian spy, Jeffrey Delisle).  The UK would be another obvious guess, except an Intercept article describing how NSA helped UK backdoor Juniper suggests they used another method.

Which leads me back to an interesting change I noted between CISA — the bill passed by the Senate back in October — and OmniCISA — the version passed last week as part of the omnibus funding bill. OmniCISA still required the Intelligence Community to provide a report on the most dangerous hacking threats, especially state actors, to the Intelligence Committees. But it eliminated a report for the Foreign Relations Committees on the same topic. I joked at the time that that was probably to protect Israel, because no one wants to admit that Israel spies and has greater ability to do so by hacking than other nation-states, especially because it surely learns our methods by partnering with us to hack Iran.

Whoever hacked Juniper, the whole incident offers a remarkable lesson in the dangers of backdoors. Even as FBI demands a backdoor into Apple’s products, it is investigating who used a prior US-sponsored backdoor to do their own spying.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

26 replies
  1. orionATL says:

    reading the twitter site quickly, it seems s. baker avoided the core issue of nsa designing the core protection. sounds like he’s nsa designated public defender (for free?).

    kinda reminds me of doj’s david margolis.

    • orionATL says:

      from zetter’s article:

      “… The algorithm had recently been approved by the National Institute of Standards and Technology, along with three other random number generators, for inclusion in a standard that could be used to encrypt government classified communication…”

      and doesn’t the nis have some unspoken mandate to heed nsa’s concerns and advice?

      • orionATL says:


        […. The only problem with this is that major companies, like Cisco, RSA, and Juniper did use Dual_EC. The companies believed this was okay because for years no one in the security community could agree if the weakness in Dual_EC was actually an intentional backdoor. But in September 2013, the New York Times seemed to confirm this when it asserted that Top Secret memos leaked by Edward Snowden showed that the weaknesses in Dual_EC were intentional and had been created by the NSA as part of a $250-million, decade-long covert operation to weaken and undermine the integrity of encryption systems in general…]

        • orionATL says:

          so what is the connection outlined in #5 between a “decade-long project to undermine” run by the nsa

          and “big scare” comey’s teary public fears about encryption being a problem for the national police.

          seems like the u. s. government’s secret, and hence unevaluated and uncritized by extetnal experts, surveillance machine is flying apart like an iranian centrifuge.

          • haarmeyer says:

            I remember reading the articles on Dual_EC and the standard, and other documents around the time that the Times published that. The Times didn’t seem to have any information that others didn’t have, and seemed to have asserted the maliciousness on the basis of nothing but converting a “possible” over to a “did”.

            So I suspect the connection between that and Comey’ fears is non-existent.

            A more important question is about those who implement security code, what their process is, how the code is debugged, who has access to it, why if security flaws are presented they aren’t properly taken seriously, and so forth.

            My guess is that Juniper’s moves make total sense from the point of view that the patch has to fit in a firmware space. They upgrade constants, change software, but at the end of the day, they can’t update hardware without selling their clients new systems, and all the firmware they update has to be backwards-compatible and fit into the same cramped space. That all has to be balanced with not wanting everything security to be in software, and with nobody revisits code that seems to be working if the total amount of code is high, or the number of people who worked on it and are no longer there is high.

  2. haarmeyer says:

    Anybody else have a problem with the Zetter article web page? It put more than a gig of data, apparently advertising, on my machine while I was reading. Speaking of bugs.

  3. haarmeyer says:

    I’m still puzzling over two points about the description of this:
    1) How do you alter a company’s source code? Do you plant a developer, or break in at night, or break into their servers, or what? It seems like physical human espionage or an attack on the company is needed to do this at a very minimum.
    2) Why do they believe it had to be a state actor? Because of point (1)? That might be. But anyone who discovered the bug could have exploited it, how do you discover the bug without knowing it’s there?

    And I guess I have a third question: Does anyone know what the Q point introduced into the code is? Has it been compared to other Q points? Does anyone know how it was generated? It went undetected for quite a while and seems to have been found by a multiyear code review, so it has to have been a pretty good value.

    • emptywheel says:

      Re: the nation-state thing: aside from the source-code issue, it’s also that the underlying hack relies on owning switches, at least as I’ve read.

      • haarmeyer says:

        The encryption hack? It relies only on having the compromised Q value information (the exponent of Q in the equation Q^e = P with ^ meaning “to the power”). As pointed out by Ralf-Philipp Weinmann, the whole system is compromised just by this because of a bug in the code that is supposed to hand the output of the Dual_EC PRNG over to the ANSI X9.31 PRNG. That part really looks like a bug.

        The only way this needs anything else is to need a place to watch traffic from. Is that what you mean by needing control of switches? That’s more of an issue of what did they want to use the hack for than the hack itself.

        It really is worth subjecting the Q value chosen to some scrutiny. The original reason for fixed Q and P values was because they require sophistication to choose. Juniper chose the replacement Q when they protected their stuff from the NIST spec possible compromise. The hacker presumably chose the new one. Is it a “good” Q value — i.e. does it look like a legitimate choice? Was it generated by the same software that generated Juniper’s? Was it in any of Juniper’s pre-release versions of the fix? That kind of stuff. But presumably you would need to be inside Juniper to answer those questions and perhaps they already have.

  4. Rayne says:

    Re: orionATL at [3] above — This must be part of the NIST compromise that concerned Matthew Green as far back as SEP 2013.

    Re: emptywheel at [10] above — Wonder if this is the same backdoor NSA used on Syria’s internet on 29-NOV-2012, bricking the router on the way out?

    Wonder if some of the alleged submarine cable cuts have NOT been cable cuts, but messing around with network equipment at key points in a manner that mimicked cable cuts. Syria’s 2012 outage was attributed to a cable cut by Assad’s government early into the outage — an offshore outage might look very similar.

    Re: orionATL at [6] — Comey’s demands for backdoors would ensure end-to-end access. I’ll bet at user device level there already are backdoors, but they are thwarted once the content on the device enters encryption in an app inside an end-to-end encrypted network. Wonder if devices can be manipulated remotely by way of compromised networks, even location identified and monitored, but the content remains inaccessible…and this is Comey’s concern.
    WRT Juniper Networks — it’s important to remember JNPR’s roots. Founder Pradeep Sindhu left the Computer Science Lab of Xerox PARC to launch the company. Sindhu is still the company’s CTO. (PARC itself was initially funded by DARPA, NASA, USAF, possibly other govt agencies — government access may have trickled into JNPR from inception.)

    Should also note these key achievements from JNPR’s business history:
    May 2007 — M and T Series routing platforms became the first network routers to be certified for the Department of Defense Internet Protocol Version 6 (IPv6) Capable Approved Products List (APL)
    June 2007 — Juniper raised the bar with the industry’s most energy efficient multi-terabit T1600 Core Router
    December 2007 — Announced the Partner Solution Development Platform (PSDP), the first platform for customers and partner application development on a carrier-class network operating system

    These events make 2007 a particularly interesting year, offering:
    (1) evidence JNPR working closely with USDOD;
    (2) new product encouraging customers to refresh equipment;
    (3) framework released for embedding vulnerabilities across carriers.

    And by carriers, JNPR may mean more than telecommunications/ISPs — see their profile:

    The world’s top 100 service providers—the biggest and busiest wireline and wireless carriers, cable and satellite operators, content and Internet services providers, and cloud and data center providers—run on Juniper Networks. So do major banks and other global financial services organizations, seven of the eight largest stock exchanges in the world, national government agencies and U.S. federal organizations, healthcare and educational institutions, energy and utility companies, and 99 of the Fortune Global 100.

    I’m not convinced the guys blamed for JPMorgan Chase’s breach were anything but fall guys, knowing JNPR products may underpin the financial industry’s networks. Note when these guys launched their business.

  5. orionATL says:

    thanks rayne. experience is always invaluable.

    i know you watch (your part) of the stock market.

    i also recall juniper networks was a highly valued stock that plunged to earth in the tech stocks collapse years ago. i wondered yesterday if the then undisclosed juniper vulnerabilities on 07 and 12 coincided in any way with any notable upward tick in juniper stock, i. e., did jnet happen to get any bennies from gov?

  6. orionATL says:

    i’d be curious to know the role, if any, the cisa portion of the omnibus spending bill played in juniper networks decision to publicly announce its network security problems – referred to in computer tech jargon as a “backdoor” (in this case two back doors) – on dec 17.

    – can jupiter qualify immunity from civil suits under cisa

    – were situations like major security corporation juniper’s behind some of the publicly opaque reasoning supporting cisa legislation

    – what customed data must juniper turn over to the feds to qualify for immunity, solely a list of all its vpn clients or customer data from within each vpn (if juniper happened to have that stored)

    – was the haste and public opaqueness of the rationale for cisa intended to covertly protect the nsa and the nish from responsibility for engineering and authenticating the “dangerous” dual eliptical encryption system.

    • orionATL says:

      are researchers who discover problems with juniper and/or nsa/nist random number generators liable for penalty under cisa rules?

  7. Wrong Tree says:

    This post is just insane. In what universe is it possible to fantasize that Israelis or Russians did it while assuming that the guys who said they did it didn’t do it? The FEEDTROUGH documents are an admission against interest that would point any real investigation straight at NSA. There is not one facticule in either of the links inconsistent with that presumption. Juniper software QA will trivially identify the cutouts or NOCs who sabotaged their product in four or five sneaky but implausibly deniable steps. Any mall cop could walk the cat back from there. FBI will be tying themselves in hilarious knots to screw this slam-dunk up.

    • orionATL says:

      i’m inclined in the same direction.

      it seemed very curious to me how those writing or speaking publicly on this jupiter “security ptoblem” were so defferential to the nsa in terms of warranted suspicion.

      if someone gave me a list with all the russian criminal gangs, the chinese military hackers, the israeli criminal and govetnmental hackers (throw in the north koreans to boot), AND

      the nsa on it,

      i would pick nsa first (and maybe nsa/treasury second) working from offshore.

      who the hell would have the most interest in this info. who has a long history of collecting massive amounts of info on american individuals and institutions?

      • orionATL says:


        “i’m inclined in the same direction.” does not refer to the post above that initiated this discussion. that post is pure reporting.

        it refers instead to what seemed to me to be an astonishing obliviousness by analysts of the juniper problem to the elephant in the room.

  8. thatvisionthing says:

    “Juniper, Juniper, Juniper. Juniper, Juniper, Juniper.” In the Snowden NSA spy catalog in the Der Spiegel story that Jacob Appelbaum gave the talk (“To Protect and Infect, the Militarization of the Internet”) about in December 2013.
    Hope I remember how to do a blockquote; supplemental info at end of long post at Naked Capitalism:


    Where to look for specific names in In Der Spiegel‘s NSA spy gear catalog Interactive Graphic :



    The catalog specs were dated 2008-2009, and you can look through them here:

    Beyond that, I know nothing. Hi all!

Comments are closed.