Last week a story broke about how a popular system for managing firewalls contained some unauthorised code that was capable of decrypting traffic [here]. The story broke the week before Christmas, so it’s likely to have gotten lost by all the shopping hype. The announcement by Juniper Networks suggest that this code portion was in files released as early as 2012 [announcement].
Effected versions of the software include:
- ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20
Juniper Networks clients include BT, Verizon, Peer1, NTT & Cox Communications [source]. Many of these companies service security firms, other governmental agencies and consulates.
Why is this code there?
It’s unclear at the moment as to how the code got in there. The rumour mill is of course spinning saying that while it’s unlikely it was someone inside the organisation, perhaps it was an external company or governmental agency.
In 2014 a story broke from leaked documents from Edward Snowden that the NSA were intercepting Cisco routers in transit and ‘upgrading’ them. Here NSA employees were actively intercepting deliveries of servers, routers, and other network gear. They stopped gear temporarily being shipped to organisations targeted for surveillance. They then installed covert firmware onto them before they were finally delivered. These backdoors then allowed the NSA to have trojan horse type access. This came under the so called Tailored Access Operations (TAO).
Here’s how they worked
Here’s how it works: shipments of computer network devices (servers, routers, etc,) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations/Access Operations (AO-S326) employees, with the support of the Remote Operations Center (S321), enable the installation of beacon implants directly into our targets’ electronic devices. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO.
Back in 2013 der Spiegel reported on an NSA operation known as FEEDTROUGH. FEEDTROUGH worked specifically against Juniper firewalls and gave the agency persistent backdoor access.
So is this another conspiracy waiting to happen? What ever it is one thing we are sure of is that 2016 will contain many more interesting security briefs.