IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Juniper Networks to ditch alleged NSA eavesdropping code

New security systems without the code will be shipped in first half of this year

eye binary code

Juniper Networks is dropping a piece of security code believed to have been developed by the US National Security Agency (NSA) for eavesdropping.

The company announced in December that it had found two backdoors in software that relies on Dual Elliptic Curve (Dual EC) technology, which appeared in 2012 and 2014.

Hovav Shacham, one of the researchers at the University of California, San Diego, who discovered the vulnerability, said the one introduced in 2014 was quite straightforward, according to Reuters.

However, the 2012 code altered the mathematical constant in the company's Netscreen products, allowing the creator to eavesdrop on communications, Shacham and his team claimed.

A separate curve constant, required for some federal contracts and provided by the NSA, was exposed in the documents released by whistleblower Edward Snowden to be the key to the backdoor.

Questions about DEC were raised back in 2007, but Juniper decided to use it anyway the following year. The company issued a patch back in December 2015, which reverted back to this 2008 code, however it is now set to remove the technology all together.

While no culprit has been officially named, Nicholas Weaver, from the International Computer Science Institute and UC Berkley, told Reuters that the NSA is a logical suspect for the development of the original 2008 backdoor, which may have been displaced in the 2012 and 2014 incidences by either top-level hackers or other countries' spy agencies.

In a blog post, Juniper Networks said: "After a detailed review, there is no evidence of any other unauthorised code in ScreenOS [the software used in Netscreen] nor have we found any evidence of unauthorised code in Junos OS [the primary Juniper OS]."

"After review of commentary from security researchers and through our own continued analysis, we have identified additional changed Juniper will make to ScreenOS," the company continued.

It then added: "We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed accross our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS oftware release, which will be made available in the first half of 2016.

"The investigation into the origin of the unauthorised code continues."

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

US gov issues fresh warning over Russian threat to critical infrastructure
cyber warfare

US gov issues fresh warning over Russian threat to critical infrastructure

12 Jan 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022