Juniper Networks, a popular provider of network firewalls, has disclosed a bug in its software that could have allowed third parties to decrypt VPN traffic.
The bug, which Juniper reported on Dec. 17, involves networking hardware devices running the company’s ScreenOS. These are the type of devices used in major datacenters or by ISPs to route and control network traffic. ScreenOS is the operating system that runs these devices.
Normally, if you use a VPN to connect to the Internet, your traffic is encrypted when it passes through network hardware. That means people with access to the hardware can’t read the data you are exchanging or identify the websites you visit, as long as you use a VPN.
The bug, however, apparently makes it possible to decrypt VPN traffic as it passes through the devices. Anyone with access to the devices can then monitor your online activity.
Juniper described the bug as the result of “unauthorized code” in ScreenOS. It has yet to say definitively how the code made its way into the software. There is no indication of whether the issue is the result of an internal programming mistake or a remote attack by a third party that wanted a way to decrypt VPN traffic passing through Juniper hardware.
In the latter case, the issue would be similar to previous ones in which the NSA has inserted malicious code into device firmware in order to spy on users.
It is also not clear whether the bug affects all types of VPN traffic, or only certain VPN configurations.
Juniper has fixed the issue, which only affected certain versions of ScreenOS. Network devices will be safe from the attack as long as they run patched versions of the software.
Unfortunately, however, upgrades are something that have to be done by the people running datacenters or ISPs, and it’s virtually impossible for an end user to know whether his traffic is passing through affected devices once it leaves his computer. Until more information about this incident comes to light, it may be best not to bet on your VPN connection being effectively encrypted.