Two vulnerabilities were found in Juniper Network's virtual private network (VPN), ones which could have allowed hackers to spy on data that was considered secure, researchers have said on Wednesday.
The vulnerabilities, which were first discovered on December 17 this year, were present for three years, and the data passing through the VPN was there for the taking for everyone, including foreign governments and criminal groups.
Seth Rosenblatt, managing editor of the security and privacy site the Parallax, confirmed the vulnerabilities to The Guardian: “Whoever planted it would have access to all the VPN traffic,” he said. “Data that the VPN user thought was protected from prying eyes may have been spied on.”
US officials worry that this might have been the work of a foreign government, looking to spy on US institutions and companies. According to the CNN, the FBI is conducting an investigation.
One U.S. official described it as akin to "stealing a master key to get into any government building."
A senior administration official told CNN, "We are aware of the vulnerabilities recently announced by Juniper. The Department of Homeland Security has been and remains in close touch with the company. The administration remains committed to enhancing our national cybersecurity by raising our cyber defenses, disrupting adversary activity, and effectively responding to incidents when they occur."
Juniper’s clients include the US government, including the Defense Department, Justice Department, and Treasury Department – as well as the FBI.
There will be no finger-pointing before the investigation is complete, the authorities say, but China and Russia are the first suspects. The US government, as well, has not been excluded.