Juniper Networks stated late on Friday evening (8 Jan 2016) that it will no longer be using a segment of security code purported to have been developed by the National Security Agency (NSA) for the purpose of eavesdropping on clients' VPN connections.
The code in question is based on Dual Elliptic Curve technology, and Juniper has stressed it will be replaced during the 1st quarter of 2016 for a version that is considerably more secure. The Silicon valley based company claims the new secure code will rely on greater numbers than those generated through the flawed Dual Elliptic Curve technology.
The company’s statement came a day after researchers at Stanford University revealed that Juniper’s security code had been altered in numerous ways during 2008, which would have enabled eavesdropping of supposedly secure VPN connections.
Last month Juniper admitted that it had detected unauthorised code dating back to 2012 and 2014 that enabled back door access to the devices based on a simple password.
Researcher Hovav Shacham of the University of California, San Diego, said, “The 2014 back door was straightforward, allowing anyone with the right password to see everything.
The 2012 code changed a mathematical constant in Juniper's Netscreen products that should have allowed its author to eavesdrop”.
Juniper's initial patch had gotten rid of that constant in Dual Elliptic Curve and replaced it with the version it had been using since 2008. However, the fallout of such a catastrophic failure could have dire results for one of the most respected names in network security.
Photo credit: Carsten Reisinger / Shutterstock.com