After Juniper security mess, Cisco searches own gear for backdoors

While it says it has no reason to think there are backdoors in any of its products, Cisco has started an additional code review looking for “malicious modifications” after Juniper’s announcement that its ScreenOS operating system has been vulnerable for years.

Anthony Greico

“Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience,” according to the Cisco Security blog written by Anthony Grieco, senior director of the company’s Security and Trust Organization. The company says it will release its findings in accordance with its security vulnerability policy.

+More on Network World: Juniper NetScreen firewall should be patched now+

Juniper’s problem is within its Screen OS operating system, which is confined to some Juniper products, but Cisco has been mentioned in speculation about how ScreenOS was corrupted.

Documents stolen by Edward Snowden said the NSA had backdoored Juniper gear, as well as Cisco gear. Speculation that the unauthorized code Juniper was patching was placed there by the NSA led some to wonder whether the documents’ assertions about Cisco were true. Grieco says the company has received questions from customers related to the Juniper breach.

“We have seen none of the indicators discussed in Juniper’s disclosure,” he writes. He says the company employs rigorous development practices, and that code is scrutinized by Cisco engineers, third-party researchers and customers. “Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk.”

Grieco says Cisco has a no-backdoor policy which bans undisclosed means to access devices, hardcoded or undocumented access credentials, covert communications channels and undocumented diversion of traffic.

+More on Network World: U.S. still No. 1 for unsecured security cameras+

The additional review was entirely Cisco’s idea, he writes, “We have not been contacted by law enforcement about Juniper’s bulletin, and our review is not in response to any outside request.” If it receives credible reports about possible issues, it will investigate them and disclose its findings if they have implications for customers.

IDG Insider


« 15 most-important Apple stories of 2015


The software behind the scenes at Food Network and HGTV »
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail


Do you think your smartphone is making you a workaholic?