Did the FBI plant backdoor vulnerabilities in OpenBSD IPSEC?

Recently an interesting story broke out where Theo de Raadt (OpenBSD project Manager) received an email from Gregory Perry, former CTO of NETSEC claiming that about 10 years ago the FBI paid developers working on the IPSEC implementation of OpenBSD to introduce backdoors and other side channel attack vulnerabilities.

Gregory claims that he is coming forward with this news now because of a non disclosure agreement he had with the FBI which has just expired. Theo de Raadt on his part decided to go public with this story and as such all IPSEC code will now be reviewed to ensure no backdoors or weaknesses have indeed been introduced.

It’s impossible to say if this story is true or not. If indeed it is true it would have been a really bad move by the FBI. I would even go so far as to call it stupid. The IPSEC implementation of OpenBSD was freely available for anyone to use and it is impossible to even conceive where it ended up being used; I wouldn’t be surprised if it found its way into government departments. Essentially if the FBI did plant backdoors all they succeeded in doing is weaken the same infrastructure that they’re supposed to protect.

The dangers of introducing backdoors is not solely that whoever introduced them can get illegitimate access to confidential information but also that others are able to find the weakness and exploit it. I would imagine that an organization whose primary mission is to protect against espionage would recognize this and not do something as counterproductive as purposely introduce weaknesses in software that its own infrastructure might end up using.

What if your organization uses OpenBSD – should you be concerned?

If this story turns out to be true the implications of it will go far beyond OpenBSD. I would imagine that a lot of projects adopted the OpenBSD implementation of IPSEC, which was available for free, rather than writing another implementation from scratch.

That being said the risk is probably not that high at all. OpenBSD is an open source project which has natural defences against this sort of thing. For starters the code is available and I would image a lot of people scrutinized it quite well. A backdoor would be really hard to hide but some form of side channel vulnerability could conceivably be hidden in plain sight without being noticed. With regard to side channel vulnerabilities, over the years the IPSEC implementation got patched and changed by different developers which would probably disrupt any such vulnerabilities.

I personally do not think that the risk is currently high enough to warrant any action apart from monitoring this story closely. If any such vulnerabilities are detected, then the patches that are developed and tested need to get installed promptly.

What are your views on this possible security breach?

Chris Lorrel April 25, 2011 at 8:41 pm
Oh, boy! This is so sick! I can’t believe it – not that the FBI are the nicest guys who always play by the rules but this sounds just incredible. I don’t think that the community of an OS as popular as openBSD is, wouldn’t have noticed such a major issue. All this backdoor talk seems like a cheap sensation to me. I am not a lawyer but can a NDA include clauses that break the law?
Emmanuel Carabott May 5, 2011 at 4:51 pm
Hi Chris,
Since I posted this article the code review of IPSEC has finished and no backdoor was found so this either never happened or updates removed the backdoor. There is a minute chance that a really clever side channel vulnerability was introduced but in this case I find it highly unlikely something like that would have been missed by the openbsd community especially after such a claim.
As for the NDA, well I’m not so sure that back then introducing a backdoor would have broken any laws; however, one must remember that this is the FBI we are talking about. Even in the modern times when the whole wiretapping thing was deemed illegal, the government simply changed the laws to allow it and had it applied retroactively. I’m not saying that the FBI is above the law or anything of the sort, it’s just that I can understand that when an organization is tasked to do something questionable and then abide by an NDA, it would do so without questioning its legality and would certainly not try to go around it.

Comments are closed.

If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email privacy@gfisoftware.com from the email address you used when submitting this form.

Did the FBI plant backdoor vulnerabilities in OpenBSD IPSEC?

What if your organization uses OpenBSD – should you be concerned?

About the Author: Emmanuel Carabott

2 Comments

Did the FBI plant backdoor vulnerabilities in OpenBSD IPSEC?

What if your organization uses OpenBSD – should you be concerned?

Get your free 30-day trial

Get your free 30-day trial

About the Author: Emmanuel Carabott

2 Comments