Last month, network hardware maker Juniper revealed that it had found unauthorized code in its firmware that could be exploited to gain administrative access to connected devices. The announcement raised alarms because Juniper gear is widely used in network infrastructure across the globe.
A document shared by whistleblower Edward Snowden showed that the NSA was aware of vulnerabilities in Juniper products at least since 2011.
On Friday, the company said it would stop using a piece of security code found in its ScreenOS firmware that analysts believe was developed by the NSA in order to snoop on users’ Web traffic through Juniper hardware.
In a forum post, Juniper said:
We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products (which powers most of Juniper’s current products). We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.
The company’s statement comes a day after cryptography researchers from the University of California, San Diego presented findings at a Stanford University conference which showed that Juniper’s code had been altered in multiple ways in 2008 to enable eavesdropping on users’ virtual private network sessions.
The research team didn’t name any suspects connected to the code changes, but Reuters reports that Nicholas Weaver of the International Computer Science Institute, said the NSA might have been responsible.
Juniper said it will continue to investigate the matter. But it remains to be seen whether its customers will trust the company to deliver secure hardware in the new year.
➤ Advancing the Security of Juniper Products [Juniper via Reuters]
Get the TNW newsletter
Get the most important tech news in your inbox each week.