Juniper landed in hot water late last year after some of its networking gear was found to be carrying code that allowed for attackers to eavesdrop on traffic sent through virtual private networks (VPNs). According to analysts, the code is likely to have been developed by the National Security Agency (NSA) to conduct spying activities. Juniper has now said it will update the software in the affected products to fix the issue.
The unauthorised code was sitting in the ScreenOS software used in Juniper’s Netscreen enterprise firewall/VPN offerings and allowed attackers to decrypt encrypted traffic that come through. After the code was discovered last month, Juniper went into damage control as security researcher proved that the component in question, the Dual_EC_DRBG cryptographic algorithm, in ScreenOS can indeed be exploited by attackers.
In response, Juniper has said in a blog post that it will fix the issue by removing the spying code in its Netscreen line of products:
We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.
This incident has been a huge blow to Juniper’s reputation. It remains to be seen whether this move will help it regain the trust of its customers.
[Via Reuters]
Comments
5 responses to “Juniper Removes Spying Code From Networking Products”
If I was a company that I would never touch them again.
Makes you wonder what other vendors the NSA have been able to incorporate their code into that we aren’t aware of yet.
That’s what I have been thinking about as well. Juniper may be one of the first major companies to be found with spying code in their products but I don’t think it will be the last.
Yeah exactly. I think it’s safe to assume that they have access to pretty much every piece of software/hardware which would benefit their cause. I was just thinking how scary/fucked it would be if they had hacked into a SIM manufacturer, but then found this:
http://time.com/3722150/nsa-sim-cards/
What disappoints me is that the NSA are still operating BAU without corporations and countries demanding action. I don’t think I’ve come across any articles yet outlining specific NSA staff who have been trialed and sentenced to jail.
is this legal under US law? why hasn’t it triggered a massive investigation?
What makes you think the NSA gives a shit if its legal or ethical? “National security” is the excuse for ignoring the law. Stuxnet, Snowden, Assange, I could go on. Same cultural mindset is the cause of their gun issues. Its ok if I do it coz Im the good guy.