A key House committee is probing the use, across the U.S. government, of Juniper Networks firewalls now known to have been hacked.
Last month, the company announced the discovery of unauthorized code in its technology that could allow an "attacker to gain administrative access" to certain devices and "decrypt VPN connections."
Security analysts and a leak by ex-intelligence contractor Edward Snowden soon raised questions about whether the National Security Agency bugged the gear to decode foreign correspondence.
Republicans and Democrats on the Oversight and Government Reform Committee have requested that 24 departments and agencies provide lawmakers with an inventory of their affected “ScreenOS” Juniper products as well as the dates they fixed the identified security flaws.
"So that the committee may better understand the extent of the ScreenOS vulnerabilities and related effects on the cybersecurity posture of federal agencies that use" the tools, "please provide the following documents and information as soon as possible," reads a Jan. 21 letter sent to the departments of Commerce, Defense, State, as well as NASA, the Nuclear Regulatory Commission and the other federal agencies.
The agencies must turn over documents showing:
- Whether they used the compromised Juniper programs
- How they "discovered the vulnerability and if any corrective measures were taken prior" to deploying a software patch issued Dec. 20, 2015
- The program versions used
- The date they installed the patch
Following accusations NSA was somehow involved in the compromises, Juniper late on Jan. 8 said it would stop relying on a U.S. government-approved security algorithm called the Dual Elliptic Curve that the company had been using to encrypt traffic.
Snowden documents released in 2013 showed weaknesses in the formula could be exploited by NSA.
Concerns over the U.S. government tampering with Americans' firewalls add to a debate about the FBI's wishes to place backdoors in encryption products, because, as the agency emphasizes, criminals also use them to hide their communications.
Juniper's networking technology is deployed in governments and companies the world over.
For instance, Kaspersky Labs, which defends Russian networks against malware, partnered with Juniper to protect the Kremlin in 2004.
Juniper plans to release new software that removes the Dual Elliptic Curve algorithm in the first half of 2016, Bob Worrall, the company’s chief information officer, said in a blog post.
Reuters reported that the move came a day after a presentation at Stanford University by cryptographers who found Juniper's code had been changed during 2008 to enable spying on users' virtual private network sessions.
According to The Intercept, a top secret February 2011 document leaked by Snowden describes how NSA's British counterpart GCHQ, with the cooperation of NSA, knew how "to covertly exploit security vulnerabilities in 13 different models of firewalls" made by Juniper.
After Juniper's December 2015 disclosure, researchers also documented two code changes that could allow adversaries to break the encryption.
One made in 2012 altered a mathematical constant the researchers believed allowed its creator to eavesdrop. "The second was made in 2014 and made it possible for anyone who knew a hard-coded password to decrypt communications," Ars Technica reported.
A committee official told Nextgov in an email that lawmakers have not received any responses from the agencies. The federal government has been closed since Jan. 22 because of a blizzard that shut down transportation and, in many cases, power along the East Coast.