Government officials keep asking technology companies to put encryption backdoors in their products. But the saga of the Juniper VPN backdoor is an object lesson on how attackers can use this avenue for nefarious purposes.

Last week, Juniper Networks announced that during a routine internal audit, it had found unauthorized code in ScreenOS, the operating system used in products including firewalls and VPN gateways. The spying code would allow someone monitoring VPN traffic flowing through NetScreen to decrypt the traffic and monitor all communications. A second vulnerability provides attackers with administrator access to NetScreen devices via a hard-coded master password. Security researchers believe a backdoor was already present in Juniper's code, and unknown attackers simply took advantage of it.

"Some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional -- you be the judge! They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone -- maybe a foreign government -- was able to decrypt Juniper traffic in the U.S. and around the world," Matthew Green, a noted cryptography expert and a professor at Johns Hopkins University, wrote in a blog post.

Several security experts immediately pointed out the parallels between Juniper's backdoor code and increasingly strident calls from the federal government about installing backdoors into tech products. FBI director James Comey and other law enforcement officials have criticized technology companies who give users control over the encryption keys, since that means companies cannot turn over user data when ordered to do so. The government has urged companies like Apple and Google to make it possible for government to get access to user data when necessary through methods like shared cryptographic keys, key escrow, or a backdoor.

Experts have argued that a backdoor cannot be restricted, and anyone would be able to take advantage of it for their own purposes.

"Many of us hard-core technologists in the corporate sector have been warning the government for years (sometimes decades) about the hazards of backdoors like the one recently exploited in Juniper's products," said Gary McGraw, CTO of Cigital.

Details of the VPN backdoor

Cryptography experts analyzed the VPN issue and found that Juniper's ScreenOS used Dual_EC_DRBG as the foundation for cryptographic operations. Shortly after the National Institute of Standards and Technology set Dual_EC as a standard back in 2007, Microsoft researchers Dan Shumow and Neils Ferguson disclosed weaknesses in the standard that could serve as a backdoor. Reports based on documents stolen by former Booz-Allen Hamilton consultant and NSA contractor Edward Snowden suggest the National Security Agency intentionally engineered the weakness as part of project BULLRUN.

For Juniper, it appears an unknown party subverted the backdoor code by changing parameters sometime in 2012. They made no major code changes, but they didn't have to: The existing backdoor let them eavesdrop on connections created by NetScreen, a high-end enterprise VPN appliance used worldwide.

One way to think about the backdoor is to consider it as having two parts, Green said on Twitter. One part is installing a second keyhole on the door to override the door's normal lock. The second is to install a particular lock cylinder into that keyhole. What the attackers did in this case was replace that lock cylinder (which the NSA had engineered) with a lock cylinder of their own. But that wouldn't have been possible if the door hadn't been fitted with a second "backdoor" keyhole in the first place, Green said.

"A backdoor intended for law enforcement could somehow become a backdoor for people who we don't trust to read our messages," Green warned.

Paving the way for attackers

The modified code in Juniper NetScreen is exactly the kind of situation you would worry about happening in a "deliberately backdoored system," Green said. Dual EC was safe as long as developers assumed there was no bug anywhere in the code. Juniper thought it had taken adequate precautions to mitigate the weaknesses in Dual EC. The fact is their safeguards had a flaw.

Cryptographic backdoors are one of the best ways for attackers to break into systems. "[The backdoors] take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes," Green said.

In the past, when security experts warned about the dangers of creating a backdoor, they've focused on storage failures, such as how escrow keys are secured. The Juniper incident illustrates that the danger is much broader and more serious than simple storage mistakes.

"Engineering a product to be secure is hard enough without intentionally designing in an Achilles' heel," McGraw said. "FBI Director Comey's stance is wrong. If we want real security, we must properly build security in without breaking it on the white board."