Encryption backdoors have been a hot topic in the last few years—and the controversial issue got even hotter after the terrorist attacks in Paris and San Bernardino, when it dominated media headlines. It even came up during this week's Republican presidential candidate debate. But despite all the attention focused on backdoors lately, no one noticed that someone had quietly installed backdoors three years ago in a core piece of networking equipment used to protect corporate and government systems around the world.

On Thursday, tech giant Juniper Networks revealed in a startling announcement that it had found "unauthorized" code embedded in an operating system running on some of its firewalls.

The code, which appears to have been in multiple versions of the company's ScreenOS software going back to at least August 2012, would have allowed attackers to take complete control of Juniper NetScreen firewalls running the affected software. It also would allow attackers, if they had ample resources and skills, to separately decrypt encrypted traffic running through the Virtual Private Network, or VPN, on the firewalls.

"During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," Bob Worrall, the companies' CIO wrote in a post. "Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS."

'This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire.'

Juniper released patches for the software yesterday and advised customers to install them immediately, noting that firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are vulnerable. Release notes for 6.2.0r15 show that version being released in September 2012, while release notes for 6.3.0r12 show that the latter version was issued in August 2012.

The security community is particularly alarmed because at least one of the backdoors appears to be the work of a sophisticated nation-state attacker.

"The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency like the British, the US, the Chinese, or the Israelis," says Nicholas Weaver, a researcher at the International Computer Science Institute and UC Berkeley. "You need to have wiretaps on the internet for that to be a valuable change to make [in the software]."

But the backdoors are also a concern because one of them—a hardcoded master password left behind in Juniper's software by the attackers—will now allow anyone else to take command of Juniper firewalls that administrators have not yet patched, once the attackers have figured out the password by examining Juniper's code.

Ronald Prins, founder and CTO of Fox-IT, a Dutch security firm, said the patch released by Juniper provides hints about where the master password backdoor is located in the software. By reverse-engineering the firmware on a Juniper firewall, analysts at his company found the password in just six hours.

"Once you know there is a backdoor there, ... the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software," he told WIRED. "We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor]."

But there is another concern raised by Juniper's announcement and patches—any other nation-state attackers, in addition to the culprits who installed the backdoors, who have intercepted and stored encrypted VPN traffic running through Juniper's firewalls in the past, may now be able to decrypt it, Prins says, by analyzing Juniper's patches and figuring out how the initial attackers were using the backdoor to decrypt it.

"If other state actors are intercepting VPN traffic from those VPN devices, … they will be able to go back in history and be able to decrypt this kind of traffic," he says.

Weaver says this depends on the exact nature of the VPN backdoor. "If it was something like the Dual EC, the backdoor doesn't actually get you in, ... you also need to know the secret. But if it's something like creating a weak key, then anybody who has captured all traffic can decrypt." Dual EC is a reference to an encryption algorithm that the NSA is believed to have backdoored in the past to make it weaker. This factor, along with knowledge of a secret key, would allow the agency to undermine the algorithm.

Matt Blaze, a cryptographic researcher and professor at the University of Pennsylvania, agrees that the ability to decrypt already-collected Juniper VPN traffic depends on certain factors, but cites a different reason.

"If the VPN backdoor doesn't require you to use the other remote-access [password] backdoor first," then it would be possible to decrypt historical traffic that had been captured, he says. "But I can imagine designing a backdoor in which I have to log into the box using the remote-access backdoor in order to enable the backdoor that lets me decrypt intercepted traffic."

A page on Juniper's web site does appear to show that it's using the weak Dual EC algorithm in some products, though Matthew Green, a cryptography professor at Johns Hopkins University, says it's still unclear if this is the source of the VPN issue in Juniper's firewalls.

Juniper released two announcements about the problem on Thursday. In a second more technical advisory, the company described two sets of unauthorized code in the software, which created two backdoors that worked independently of one another, suggesting the password backdoor and the VPN backdoor aren't connected. A Juniper spokeswoman refused to answer questions beyond what was already said in the released statements.

Regardless of the precise nature of the VPN backdoor, the issues raised by this latest incident highlight precisely why security experts and companies like Apple and Google have been arguing against installing encryption backdoors in devices and software to give the US government access to protected communication.

"This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire," Prins says.

Green says the hypothetical threat around NSA backdoors has always been: What if someone repurposed them against us? If Juniper did use Dual EC, an algorithm long-known to be vulnerable, and this is part of the backdoor in question, it underscores that threat of repurposing by other actors even more.

"The use of Dual EC in ScreenOS ... should make us at least consider the possibility that this may have happened," he told WIRED.

Two Backdoors

The first backdoor Juniper found would give an attacker administrative-level or root privileges over the firewalls—essentially the highest-level of access on a system—when accessing the firewalls remotely via SSH or telnet channels. "Exploitation of this vulnerability can lead to complete compromise of the affected system," Juniper noted.

Although the firewall's log files would show a suspicious entry for someone gaining access over SSH or Telnet, the log would only provide a cryptic message that it was the "system" that had logged on successfully with a password. And Juniper noted that a skilled attacker would likely remove even this cryptic entry from log files to further eliminate any indication that the device had been compromised.

Juniper

The second backdoor would effectively allow an attacker who has already intercepted VPN traffic passing through the Juniper firewalls to decrypt the traffic without knowing the decryption keys. Juniper said that it had no evidence that this vulnerability had been exploited, but also noted that, "There is no way to detect that this vulnerability was exploited."

Juniper is the second largest maker of networking equipment after Cisco. The Juniper firewalls in question have two functions. The first is to ensure that the right connections have access to a company or government agency's network; the other is to provide secured VPN access to remote workers or others with authorized access to the network. The ScreenOS software running on Juniper firewalls was initially designed by NetScreen, a company that Juniper acquired in 2004. But the versions affected by the backdoors were released under Juniper's watch, eight years after that acquisition.

The company said it discovered the backdoors during an internal code review, but it didn't say if this was a routine review or if it had examined the code specifically after receiving a tip that something suspicious was in it.

Speculation in the security community about who might have installed the unauthorized code centers on the NSA, though it could have been another nation-state actor with similar capabilities, such as the UK, China, Russia, or even Israel.

Prins thinks both backdoors were installed by the same actor, but also notes that the hardcoded master password giving the attackers remote access to the firewalls was too easy to find once they knew it was there. He expects the NSA would not have been so sloppy.

Weaver says it's possible there were two culprits. "It could very well be that the crypto backdoor was [done by] the NSA but the remote-access backdoor was the Chinese or the French or the Israelis or anybody," he told WIRED.

NSA documents released to media in the past show that the agency has put a lot of effort into compromising Juniper firewalls and those made by other companies.

An NSA spy tool catalogue leaked to Der Spiegel in 2013 described a sophisticated NSA implant known as FEEDTROUGH that was designed to maintain a persistent backdoor in Juniper firewalls. FEEDTROUGH, Der Spiegel wrote, "burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers….." It's also designed to remain on systems even after they're rebooted or the operating system on them is upgraded. According to the NSA documents, FEEDTROUGH had "been deployed on many target platforms."

FEEDTROUGH, however, appears to be something different than the unauthorized code Juniper describes in its advisories. FEEDTROUGH is a firmware implant—a kind of "aftermarket" spy tool installed on specific targeted devices in the field or before they're delivered to customers. The unauthorized code Juniper found in its software was embedded in the operating system itself and would have infected every customer who purchased products containing the compromised versions of the software.

Naturally, some in the community have questioned whether these were backdoors that Juniper had voluntarily installed for a specific government and decided to disclose only after it became apparent that the backdoor had been discovered by others. But Juniper was quick to dispel those allegations. "Juniper Networks takes allegations of this nature very seriously," the company said in a statement. "To be clear, we do not work with governments or anyone else to purposely introduce weaknesses or vulnerabilities into our products… Once this code was discovered we worked to produce a fix and notify customers of the issues."

Prins says the larger concern now is whether other firewall manufacturers have been compromised in a similar manner. "I hope that other vendors like Cisco and Checkpoint are also now starting a process to review their code to see if they have backdoors inserted," he said.