Recently an interesting story broke out where Theo de Raadt (OpenBSD project Manager) received an email from Gregory Perry, former CTO of NETSEC claiming that about 10 years ago the FBI paid developers working on the IPSEC implementation of OpenBSD to introduce backdoors and other side channel attack vulnerabilities.

Gregory claims that he is coming forward with this news now because of a non disclosure agreement he had with the FBI which has just expired. Theo de Raadt on his part decided to go public with this story and as such all IPSEC code will now be reviewed to ensure no backdoors or weaknesses have indeed been introduced.

It’s impossible to say if this story is true or not. If indeed it is true it would have been a really bad move by the FBI. I would even go so far as to call it stupid. The IPSEC implementation of OpenBSD was freely available for anyone to use and it is impossible to even conceive where it ended up being used; I wouldn’t be surprised if it found its way into government departments. Essentially if the FBI did plant backdoors all they succeeded in doing is weaken the same infrastructure that they’re supposed to protect.

The dangers of introducing backdoors is not solely that whoever introduced them can get illegitimate access to confidential information but also that others are able to find the weakness and exploit it. I would imagine that an organization whose primary mission is to protect against espionage would recognize this and not do something as counterproductive as purposely introduce weaknesses in software that its own infrastructure might end up using.

What if your organization uses OpenBSD – should you be concerned?

If this story turns out to be true the implications of it will go far beyond OpenBSD. I would imagine that a lot of projects adopted the OpenBSD implementation of IPSEC, which was available for free, rather than writing another implementation from scratch.

That being said the risk is probably not that high at all. OpenBSD is an open source project which has natural defences against this sort of thing. For starters the code is available and I would image a lot of people scrutinized it quite well. A backdoor would be really hard to hide but some form of side channel vulnerability could conceivably be hidden in plain sight without being noticed. With regard to side channel vulnerabilities, over the years the IPSEC implementation got patched and changed by different developers which would probably disrupt any such vulnerabilities.

I personally do not think that the risk is currently high enough to warrant any action apart from monitoring this story closely. If any such vulnerabilities are detected, then the patches that are developed and tested need to get installed promptly.

What are your views on this possible security breach?