The Juniper backdoor discovered during the company’s own internal audit this past week has left many American citizens in shock as to how a company with such protective firewall SSL VPN technology could be surprised about a backdoor that has been open to exploit for the last 3 years (since 2012). A new document has surfaced, courtesy of former NSA contractor Edward Snowden, that shows the British intelligence agency GCHQ has been aware of firewall vulnerabilities in Juniper’s devices for some time and has had access to 13 Juniper firewall models.
The document, titled “Assessment of Intelligence Opportunity-Juniper,” discusses not only Juniper’s role in intelligence but also current Juniper firewall models that have been exploited and do have back doors that are recognized by British intelligence. In the section titled “Currently exploit capability,” the GCHQ lists 13 different firewall models that are vulnerable to hack attacks, all of which run NetScreen OS as opposed to the company’s own in-house JUNOS (Juniper OS) – such as the NS50, NS500, NS204, NS5000, and others. The Juniper M320 router serves as a firewall device of particular interest to British intelligence, a device that, at the time of the issued document, had yet to succumb to backdoor attempts: “M320 is currently being worked on and we would expect to have full support by the end of 2010,” the document says.
British intelligence also says within the document that the key to exploiting the networks would be to start with exploitation of the routers.
British intelligence names Juniper and the NSA in close relationship
The most condemnatory part of the GCHQ document pertains to the stated rule about how to best penetrate Juniper devices: cooperate with the NSA. This can be found in the section titled “Assessment of Potential Opportunity”:
Juniper carries a potential opportunity and complication to being a US company. There is potential to leverage a corporate relationship should one exist with NSA. Any GCHQ efforts to exploit Juniper must begin with close coordination with NSA.
This quote deserves some serious consideration. After all, notice that the British intelligence says that “efforts to exploit Juniper must begin with close coordination with NSA.” In other words, 1) the British intelligence wants to exploit Juniper, 2) Juniper is hackable and its devices have software vulnerabilities, and 3) the NSA has to be notified of any intent to exploit Juniper devices – meaning that the NSA would potentially approve of any backdoor access to Juniper devices, even if it meant putting innocent citizens at risk of identity theft or the leaking of personal information that could negatively harm them down the line.
In other words, if Juniper devices contain vulnerabilities and back doors, then the NSA has to know where those back doors are and how to penetrate them. What British intelligence does here is it implicates the NSA in the crime of possibly planting the back door into Juniper’s firewall that was detected by the company this past week. With that said, it doesn’t matter as much if the NSA planted it or not; what matters is that the NSA knows where the back doors are, how to gain access to them, and how to extract information. The fact that the NSA would team up and grant the British government access means that the NSA is intentionally keeping those back doors open for their own purposes. In the case of the current back door implantation, the NSA has been holding the knowledge that the back door existed to itself for three years. There’s no telling how many exploitations the NSA has committed in Juniper devices as a result of this secret knowledge it has kept to itself.
In short, Juniper seems to be rather innocent in its detection of a back door, but the NSA isn’t. The fact that the GCHQ said it “must” coordinate its Juniper back door invasion with the NSA implicates the NSA in cybercrime. It would be interesting to know just how much cybercrime has been stopped as a result of the NSA’s morally reprehensible activities.