This article was published on December 22, 2015

A nightmare example of why any government backdoor access is terrible


A nightmare example of why any government backdoor access is terrible Image by: Shutterstock

As the US and UK governments seek to get backdoor access to encrypted phones, computers and other devices pushes forward, we just got the best example of why to avoid them altogether.

This week, Juniper discovered that someone had added malicious code within its firewall devices running ScreenOS that allowed anyone with a specific password to break into affected devices undetected.

It’s hard to illustrate just how this much matters, because while Juniper is an enormous company that you probably use to get online every day, it’s also entirely boring.

What matters is this: someone modified software on a public company’s network equipment, without its knowledge, and it was wide open for years, undetectable and able to monitor all traffic that came past.

Juniper hasn’t publicly named where the code came from — whether it be an internal or external actor — but signs point toward an NSA program called FEEDTROUGH for monitoring Juniper devices,  although some anonymous reports deny this is the case.

When the news broke that Juniper had discovered the flaw and the company released a patch it took researchers just three days to find the password needed to attack unpatched devices.

Now that the password is out there, anyone can attack and exploit networks protected by a NetScreen device without detection. If the backdoor was put there by the government, it’s put every organization using Juniper’s affected devices at risk of cyberattack.

This is the biggest reason the government must not be allowed to force backdoors into encryption, or anything else. Tim Cook, CEO of Apple, has repeatedly reiterated that any backdoor that’s added for “the good guys” can be equally exploited by “the bad guys.”

The Juniper breach is our best example of this in practice, even if it happened without the company’s knowledge. Once discovered, the attack was rapidly able to be exploited by anyone in a catastrophic, undetectable way.

If the government were to succeed in forcing companies to add encryption backdoors, it’s unlikely it could keep the methods secret if it can’t even keep the TSA master keys off the internet.

Encryption is one of our strongest assets for maintaining privacy, and ensuring that people aren’t snooping on our devices.

As the government debate intensifies, we must not give in, and should actively vote against any measure that would force backdoors on our devices.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Published
Back to top