Two vulnerabilities in widely used networking software made by Sunnyvale’s Juniper Networks reveal both the power — and the risk — of building backdoors into encryption.
One of the vulnerabilities disclosed by the company this month could be used to eavesdrop into virtual private network connections — theoretically secure connections often used by companies to conduct remote business. The other could allow attackers to gain access to certain Juniper devices.The VPN loophole that could allow outsiders to spy on communications carries some clues of state-sponsored hacking, Ralf-Philipp Weinmann, the founder and CEO of German consulting firm Comsecuris, wrote in a blog post. Whoever discovered the loophole exploited a random number generator for encrypting information based on an algorithm created by the National Security Agency.
Such problems pose huge risks to companies like Juniper Networks, whose customers trust it for secure communications. They also reveal a potential downside to an increasingly popular sentiment — one calling for Silicon Valley to grant authorities carte blanche in monitoring secure communication.
Such calls have intensified after mass murders in Paris and San Bernardino.
Typically, the debate about encryption has focused on escrow keys. Proponents of greater surveillance have suggested that companies lock user data but give law enforcement access keys when appropriate, Matthew Green, an assistant professor at Johns Hopkins University’s Department of Computer Science, wrote in a blog post.
But the Juniper issue is more like an open window than a locked door. Anyone who noticed it could sneak in.
“Normally when we talk about this, we’re concerned about failures in storage of things like escrow keys,” wrote Green. “What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that.”
If Silicon Valley creates any kind of secret path for law enforcement to decrypt data, there’s no guarantee that authorities are the only ones who will find their way in. Criminals, terrorists or, most likely, people working in intelligence for other countries could stumble across the same passageway.
In the Juniper case, it’s not clear who, if anyone, got in.
“When you put a mechanism to weaken your encryption,” said Steven Bellovin, a computer science professor at Columbia University, “you don’t know who is going to find a way to use that against you.”