The extent to which government opposition to, and willingness to undermine, encryption can dramatically backfire and make all of us less safe may just have been vividly demonstrated in the United States.
Last week, Juniper Networks revealed that it had discovered “unauthorised code” that affected the firewalls the company provides via its NetScreen products. The unauthorised code “could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections”.
On the positive side, Juniper deserves credit for publicly revealing the problem. On the negative side, NetScreen is used not merely by large corporations but, according to one outlet, US government agencies like the Pentagon, the US Treasury, the Justice Department. That is, the very heart of the US security and economic establishment. CNN quoted a government source as saying it was akin to “stealing a master key to get into any government building”, which may be overstating the compromise but nonetheless indicates the magnitude of concerns.
The compromise is evidently highly sophisticated, which raises suspicions state actors are involved — which means China is reflexively invoked as the source.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
But how was the “unauthorised code” smuggled into NetScreen products? That’s a technically highly complex question (if you’re game, you can try this explainer) but a working hypothesis is that a flawed random number generator (RNG) was used to enable access — the RNG being a product designed by the National Security Agency. We know, from the Edward Snowden documents, it was “backdoored” by the NSA and the United Kingdom’s GCHQ in order to enable those agencies to break into encrypted systems that use that type of RNG. In fact, it’s well established that the NSA has penetrated Juniper’s security systems, although Juniper denies it has ever colluded with US government agencies.
It’s thus likely that the NSA and GCHQ are responsible for enabling access to Juniper’s products — and possibly for the “unauthorised code” that’s been inserted. It’s also possible another state actor has exploited the backdoor already created by NSA as part of its war on encryption to insert the code.
If the latter is the case, and the NSA’s own backdoor has been used to enable a massive breach of US government security, it would not merely be particularly ironic but a vivid demonstration of what so many security experts have been saying for so long — that undermining encryption ultimately makes us all less safe, that once you create an encryption backdoor others can use it just like you.