Government officials keep asking technology companies to put encryption backdoors in their products. But the saga of the Juniper VPN backdoor is an object lesson on how attackers can use this avenue for nefarious purposes.
Last week, Juniper Networks announced that during a routine internal audit, it had found unauthorized code in ScreenOS, the operating system used in products including firewalls and VPN gateways. The spying code would allow someone monitoring VPN traffic flowing through NetScreen to decrypt the traffic and monitor all communications. A second vulnerability provides attackers with administrator access to NetScreen devices via a hard-coded master password. Security researchers believe a backdoor was already present in Juniper’s code, and unknown attackers simply took advantage of it.
