An NSA back door in Juniper network devices is said to have been discovered and used by another state, as reported by the Reuters news agency , which was able to see a statement from the manufacturer to the US Congress. The US secret service NSA claims to have learned from the incident, but at the request of US Senator Ron Wyden he does not want to say what.
The Juniper Declaration therefore states that a national government has also used the mechanism originally created by the NSA. This is said to be the Dual EC DRBG random number generator created by the NSA and standardized by NIST. This was integrated into the Juniper products between 2008 and 2009 at the request of a single customer, it can be assumed that this was the NSA, and enables encrypted connections, for example VPNs, to be read via certain parameters.
As it has now become known, an unidentified state is said to be responsible for the change in this parameter, which became known in 2015 . Juniper then changed the parameter back again. It is believed that the first parameter is used by the NSA for decryption, while the second was used by another state. In 2015, another backdoor was discovered in some versions of Juniper’s ScreenOS operating system with a fixed SSH password .
“Backdoors are a threat to national security ,” Wyden told the news agency. It is only a matter of time before they are exploited by foreign hackers or criminals.
NSA: We learned from it – but can no longer find the files
After another state had also used the back door, the NSA claims to have written a lessons learned report, which it can no longer find after a request from Senator Wyden. In addition, as a result of the Snowden Leaks, the secret service is said to have drawn up new rules for dealing with back doors.
But the NSA does not even want to inform the senators of the essential innovations in these guidelines. Three former senior intelligence officials told Reuters that the new rules are an assessment of the potential impact of a back door if it were discovered and used by opponents.
Juniper is not alone with the back door: The random number generator was used as standard in a software from RSA – after the NSA paid the company 10 million US dollars for it. The NSA also works with other companies to exfiltrate data, including telecommunications providers such as Verizon or corporations such as Google, Apple, Facebook or Microsoft, for example via the Prism monitoring program .