Firewall Backdoors: Current Trends in Security Vulnerabilities Remind Companies to Use Multiple Layers of Protection
Most companies implicitly trust their security vendors to provide complete protection over their network. The problem with this way of thinking is that even security companies make mistakes. The past few months have shown that these mistakes can leave entire internal networks exposed to outside threats. These threats involved hardcoded backdoors added to security software code.
How Were These Backdoors Injected into Secure Systems?
Routers have remote capabilities that allow administrators to connect from their main desktops to the router’s configuration console. These remote connections are encrypted and require an official administrator password. These passwords are extremely secret, and most companies limit password distribution to a few key personnel.
Recent analysis has shown that some firewall vendors have a hardcoded backdoor password entered into the software. This means that a developer or someone who had access to the code purposely placed a backdoor password that allowed anyone to access the router remotely. In other words, someone who knew the code was injected into the firewall software could remotely connect to a router by just knowing the vendor and software version.
While it’s common for developers to add a backdoor during application development, the backdoor code should be removed before deployment to production. What’s disturbing for security professionals is that no one is aware of how the backdoors got into the code. Firewall vendors refuse to disclose the code’s source, but some experts suggest that the NSA could be adding backdoor code to specific firewall vendors to give them access to target networks.
Snowden documents showed evidence that the NSA intercepted packages from one of the world’s most popular router vendors, Cisco (http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/). The NSA would intercept Cisco router packages intended for customers, implant Trojan horse firmware into the hardware, and then re-ship the package to the original recipient.
What Vendors are Vulnerable?
In December 2015, Juniper was the first firewall vendor exposed. Juniper firewalls were found to have two vulnerabilities. The first one allowed an attacker to log in remotely using SSH or Telnet. This first vulnerability allowed for secondary exposure. The attacker could then listen to secure VPN traffic in its decrypted form. This left companies exposed to eavesdropping from government officials or any remote hacker who knew the hardcoded password. Even more disturbing is that the code was active for over three years on Juniper systems, so any company using these firewalls have been exposed for years.
Juniper released an advisory and issued an update to patch the vulnerable firmware, but they never disclosed the source of the backdoor.
Fortinet is the next firewall company infected with malicious backdoor code. Fortinet’s hardcoded password was even exposed. Researchers were able to identify the password “FGTAbc11*xy+Qqz2” hardcoded into the firewall system software. This means that anyone who knew the password could remotely access the router, configure firewall settings to allow external traffic and leave the internal network exposed.
Fortinet versions 4.3 to 5.0.7 were shown to include the malicious backdoor code. Fortinet has since released newer versions of the software and administrators are urged to upgrade immediately.
Both Juniper and Fortinet claimed that internal security teams identified the backdoor during routine reviews, but they were both unclear on how the code was injected in the first place. They did not specify if it was an internal engineering mistake or the work of external hackers or government agencies.
It’s Time to Increase Security and Add Layers of Protection
Firewalls are one of the first lines of defense for companies. They often trust a vendor to provide the best layer of protection. Traditionally, administrators trusted one vendor to protect their network, but these recent backdoors show that companies must add an extra layer of protection to their outer defense. This could be through additional firewalls, security software or intrusion detection systems.
If you have any of these systems installed within your network infrastructure, update the firmware and perform a thorough review of any logs. Logs can tell you if any suspicious activity occurred from a remote location. You should also consider increasing security protection using intrusion detection software. A penetration test can also help identify any current vulnerable systems before a hacker exploits them.