(Reuters) - The U.S. government is investigating unauthorized code inserted in software from Juniper Networks Inc, which experts warned could be a “back door” used to spy on the networking equipment maker’s customers, an official told Reuters on Friday.
A senior U.S. official who declined to be named because of the sensitivity of the matter said the Department of Homeland Security is working with Juniper as it investigates the issue.
The official said the White House National Security Council had taken an interest in Juniper’s rare disclosure that somebody had inserted rogue code into its software. Outside experts told Reuters it was likely planted by a nation state or sophisticated criminals.
The incident at Juniper comes at the end of a year of several high-profile hacks on Washington, including at the White House, State Department and Office of Personnel Management.
Juniper warned customers on Thursday that it had uncovered “unauthorized code” in the software that runs its firewalls, saying it could be exploited to allow an attacker to unscramble encrypted communications.
CNN reported Friday that the Federal Bureau of Investigation was probing the matter. An FBI representative declined comment to Reuters.
A former Juniper security executive said the flaw appeared to be a “back door”, a reference to rogue code secretly inserted into a product to enable attackers to eavesdrop on users.
Juniper’s notice to customers did not say whether the company was aware of how the code was inserted in the software.
“This shines a light on the fact that kind of attack is something intelligence agencies are probably doing,” said Chris Wysopal, chief technology officer with Veracode, a maker of software for uncovering coding bugs.
Juniper said on its website that it had not received any reports of these vulnerabilities being exploited by hackers.
“However, we strongly recommend that customers update their systems and apply the patched releases with the highest priority,” it added.
On Thursday, the Department of Homeland Security’s U.S. Computer Emergency Response Team issued a short notice on its website, advising Juniper customers to install the update.
Representatives with Sunnyvale, California-based Juniper could not be reached for comment on Friday.
Reporting by Jim Finkle in Boston, Mark Hosenball in New York, Joseph Menn in San Francisco; Editing by Stephen R. Trousdale, Matthew Lewis and Ken Wills