Last month Juniper, the maker of network hardware, revealed that it had discovered unauthorised code in its systems’ firmware that could be maliciously exploited to gain admin access to connected devices. The announcement caused a high-profile stir because the company’s equipment is widely used in network infrastructure all over the world.
Soon afterwards, a document that was shared by Edward Snowden indicated the NSA already knew of the vulnerabilities in Juniper products since at least 2011.
On Friday this week, the company said it would stop using certain security code in its ScreenOS firmware – the one that analysts say the NSA was using to snoop on web traffic going through Juniper hardware.
In its forums, Juniper stated that:
We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products (which powers most of Juniper’s current products). We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.
That statement comes just days after researchers from the University of California presented findings that the fir’s code had been altered many times since 2008 to allow eavesdropping on users’ virtual private network communications.
The team did not however name any suspects that may have altered the code, but Reuters reports that Nicholas Weaver from the International Computer Science Institute, claims the NSA could have been responsible.
Juniper is said to be continuing to investigate. However, will its customers now trust the company to release secure hardware?