mobile-bannertablet-bannerdesktop-banner
512136509
Photograph by Rafe Swan—Getty Images/Cultura RF

‘Rogue Code’ Found in Juniper Networks Software

Dec 18, 2015

(Reuters) - The U.S. government is investigating unauthorized code inserted in software from Juniper Networks, which experts warned could be a "back door" used to spy on the networking equipment maker's customers, an official told Reuters on Friday.

A senior U.S. official who declined to be named because of the sensitivity of the matter said the Department of Homeland Security is working with Juniper as it investigates the issue.

The official said the White House National Security Council had taken an interest in Juniper's rare disclosure that somebody had inserted rogue code into its software. Outside experts told Reuters it was likely planted by a nation state or sophisticated criminals.

The incident at Juniper comes at the end of a year of several high-profile hacks on Washington, including at the White House, State Department and Office of Personnel Management.

Juniper warned customers on Thursday that it had uncovered "unauthorized code" in the software that runs its firewalls, saying it could be exploited to allow an attacker to unscramble encrypted communications.

CNN reported Friday that the Federal Bureau of Investigation was probing the matter. An FBI representative declined comment to Reuters.

A former Juniper security executive said the flaw appeared to be a "back door," a reference to rogue code secretly inserted into a product to enable attackers to eavesdrop on users.

Juniper's notice to customers did not say whether the company was aware of how the code was inserted in the software.

"This shines a light on the fact that kind of attack is something intelligence agencies are probably doing," said Chris Wysopal, chief technology officer with Veracode, a maker of software for uncovering coding bugs.

Juniper (jnpr) said on its website that it had not received any reports of these vulnerabilities being exploited by hackers.

"However, we strongly recommend that customers update their systems and apply the patched releases with the highest priority," it added.

On Thursday, the Department of Homeland Security's U.S. Computer Emergency Response Team issued a short notice on its website, advising Juniper customers to install the update.

Representatives with Sunnyvale, California-based Juniper could not be reached for comment on Friday.

For more about hacking, watch this Fortune video:

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: http://www.djindexes.com/mdsidx/html/tandc/indexestandcs.html. S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions