Juniper Networks is dropping a piece of security code believed to have been developed by the US National Security Agency (NSA) for eavesdropping.
The company announced in December that it had found two backdoors in software that relies on Dual Elliptic Curve (Dual EC) technology, which appeared in 2012 and 2014.
Hovav Shacham, one of the researchers at the University of California, San Diego, who discovered the vulnerability, said the one introduced in 2014 was quite straightforward, according to Reuters.
However, the 2012 code altered the mathematical constant in the company's Netscreen products, allowing the creator to eavesdrop on communications, Shacham and his team claimed.
A separate curve constant, required for some federal contracts and provided by the NSA, was exposed in the documents released by whistleblower Edward Snowden to be the key to the backdoor.
Questions about DEC were raised back in 2007, but Juniper decided to use it anyway the following year. The company issued a patch back in December 2015, which reverted back to this 2008 code, however it is now set to remove the technology all together.
While no culprit has been officially named, Nicholas Weaver, from the International Computer Science Institute and UC Berkley, told Reuters that the NSA is a logical suspect for the development of the original 2008 backdoor, which may have been displaced in the 2012 and 2014 incidences by either top-level hackers or other countries' spy agencies.
In a blog post, Juniper Networks said: "After a detailed review, there is no evidence of any other unauthorised code in ScreenOS [the software used in Netscreen] nor have we found any evidence of unauthorised code in Junos OS [the primary Juniper OS]."
"After review of commentary from security researchers and through our own continued analysis, we have identified additional changed Juniper will make to ScreenOS," the company continued.
It then added: "We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed accross our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS oftware release, which will be made available in the first half of 2016.
"The investigation into the origin of the unauthorised code continues."
-
NSA issues guidance on encrypted DNS usageNews The US National Security Agency warns enterprises not to use third-party DNS resolvers
-
If you're surprised the NSA can hack your computer, you need a reality checkOpinion We’ve reached a situation where OSes are so complex, they're impossible to secure
-
Shadow Broker exploit dumps five million cyber attacksNews Kaspersky: Hacking tool leaks fuel cyber criminal activity
-
The NSA is sharing projects on GitHub
News Some of the projects are outdated, but could prove useful to some open source developers
-
AT&T and NSA collaborated on "vast" surveillance programNews Documents reveal the two organisations have been working together for decades
-
NSA phone spying was illegal, rules US courtNews Patriot Act does not cover bulk data collection, says Court of Appeals
-
Ex-NSA director: Support for insecure cryptography tool "regrettable"
News The solution was riddled with backdoors but was pushed to businesses regardless
-
Edward Snowden awarded three-year Russian permitNews The former US intelligence contractor is working in an IT-related job, although he has a modest living
