Posted by Kevin on March 14, 2016.
In December 2015 Juniper disclosed that it had found two backdoors in its firewalls – one of which allows encrypted traffic passing through to be decrypted. Since then there has been considerable debate over what it is and where it came from; but very little debate over the implications. A Chatham House discussion among CISO members of Wisegate, about the implications of the Juniper backdoor is the basis for this podcast.
First – a little background. The backdoor is based on the flawed Dual EC crypto promoted by the NSA. Although Juniper knew of this flaw and took theoretical steps to eliminate it, coding errors and omissions left it open. Someone at some time gained access to the code and, activating the flaw, inserted the backdoor. It isn’t known who that was.
Nevertheless, a vote among Wisegate members showed overwhelming belief that it was probably the NSA, or at least an NSA partner (such as GCHQ doing it to provide the NSA with deniability). No-one suspects it was a foreign government, and no-one suspects it was Juniper operating for Juniper – although this leaves open the possibility that it was Juniper operating for the NSA or other 3-letter agency.
So, working on the assumption, rightly or wrongly, that this backdoor was planted for the benefit of the US government, what are the implications? Does it matter? Well, the general feeling is that yes it does matter. It’s a question of trust. We are asked to blindly trust the values of third parties; we are asked to trust in the security and morality of vendors. This is bad enough today, but will become critical with the explosion of connected devices in the Internet of Things. Our lives will become intertwined with thousands of devices all collecting personal information from us. If we ignore backdoors in large systems, we will almost certainly ignore them in thousands of small devices.
A separate practical concern was also raised. If this is an NSA backdoor, what are the implications for safe harbor and the US use of European personal data? Now it has to be said that most of the CISOs were not too concerned. Their belief is that since they had taken steps to encrypt the data, and since they knew nothing about the backdoor – and provided they take necessary steps to protect the data after learning about the backdoor – then they are compliant with European data protection legislation.
But it may not be that simple. The European Court’s decision on striking down safe harbor in 2015 seemed at least somewhat dependent on the assumption that the NSA would come calling. Even in our current discussion there was a general feeling that companies should expect governments to backdoor native devices. So is there an assumption that US devices can be accessed by the NSA? If there is that generally accepted assumption then it is not much of a stretch to see the European Court effectively banning the use of US devices in order to remain compliant with European law. It’s not likely, but it is possible; and security is about making contingency plans for the possible.
At the very least, the CISOs suggested, it raises trust issues between the US and foreign nations. Some countries are indeed already banning the use of US products; and even friendly nations are arguing or insisting that national data does not leave national boundaries. US tech companies are rushing to build new data centers within Europe to comply – but even that won’t be enough if the US government is able to demand, and get, unencrypted data from US companies.
So what can be done? Sadly, very little. Companies themselves do not have the resources to reverse engineer the hundreds of thousands of lines of code in the products they use. They are forced into a reactive position, waiting for researchers or companies themselves to find and disclose the backdoors. But there was one optimistic thought: ten years ago companies were very poor at discovering APT attacks simply because they hadn’t known about them. Today, defense against APTs is much better, because we have learned how to look for them. The same is likely to happen with backdoors. We haven’t found them because we weren’t looking. In the future, now that we know they are there, we will become much better at detecting them.