Is your operating system safe? The Story of FBI adding secret backdoors to OpenBSD IPSEC Code

Do you think that merely having the latest updates installed in your operating system with latest firewall and anti-virus software is enough to protect the data in your system? Well, the reality seems to be much more complicated than that.

I used to wonder a couple of years back when Windows OS literally ruled the world: How about having secret embedded code in Microsoft operating systems which can transmit data from the system to say US government agencies via the Internet. How would have anybody known about it, the source code of Windows is not Open Source, isn’t it? And any government would love to have that ability. That was just a thought, an imagination.

But now there has been a news recently which alleges that something similar has happened, with the exception that the source code in question is Open Source itself!

OpenBSD – The Target Operating System

Why OpenBSD? Well, OpenBSD is known to be one of the most secure of the Unix based Operating Systems, and hence is used worldwide in all networks where highly secure servers are required. What’s more? As the name itself suggests, it is an Open Source Operating System.

So isn’t Open Source supposed to be more secure in terms of code integrity since its code is available for public audit? True, but being Open Source only means Can be audited and not is Audited and that is a real big difference. Any network administrator who installs OpenBSD cannot simply go and audit millions of lines of source code just because it is available. One would require a thorough knowledge of the lower level programming languages like C C++ and also to audit more than a few hundred lines it requires a real dedicated team and time.

OpenBSD is a great operating system to run huge servers where security is of utmost importance. Ever since its first release in 1996 it has followed a scheduled update release once in every six months, the latest one being in Nov 2010. And in all these years there have been only two instances where remote security holes were found in its default installation making it one of the most secure operating systems ever built. OpenBSD is known for its additional security features which are either totally absent in other operating systems or which are not available in the default installations of other Operating Systems.

Its open source code has been used by several other operating systems including FreeBSD, inside the core of the Mac OS X, in the OS of Nokia firewall appliances, in the earlier Sun OS, in Dragonfly BSD etc (Ref: http://en.wikipedia.org/wiki/Berkeley_Software_Distribution#Significant_BSD_descendants).

So OpenBSD and its descendants are one of the most widely used high end servers in crucial networks worldwide. Now given this fact, an allegation of FBI having planted secret backdoors in this operating system which can be used to intercept data flowing through these systems and also to probably remotely control these systems raises serious security concerns if the allegations turn out to be true.

The Allegations of FBI adding secret backdoors to OpenBSD

Theo de Raadt is the founder and lead developer of the OpenBSD project. He recently made public an email received by him from Gregory Perry, the CEO of GoVirtual Education who also was once the CTO at NETSEC. NETSEC was involved in the development of the OpenBSD’s secure crypto framework.

In this mail to Theo de Raadt sent on Dec 11 2010, Gregory Perry says (Note: text not highlighted in original content)

If you will recall, a while back I was the CTO at NETSEC and arranged funding and donations for the OpenBSD Crypto Framework. At that same time I also did some consulting for the FBI, for their GSA Technical Support Center, which was a cryptologic reverse engineering project aimed at backdooring and implementing key escrow mechanisms for smart card and other hardware-based computing technologies.

My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.

This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn’t want to create any derivative products based upon the same.

This is also why several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments, for example Scott Lowe is a well respected author in virtualization circles who also happens top be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments.

What this mail says is that FBI with the help of NETSEC (which developed the crypto code for OpenBSD) inserted backdoor code inside the OpenBSD’s cryptography framework so that OpenBSD installations could be used by FBI to monitor the encrypted data flow between these systems. Which means, the encrypted data flowing between systems in a network, which can otherwise not be viewed (as it needs to be decrypted which requires secret keys), can now be monitored by FBI in such systems since they had the backdoor code installed in these systems. So if you have a network running on OpenBSD, then it can be monitored by FBI is what it all means in a broader sense.

Now how true is this allegation? In the words of Theo de Raadt who made this email public and who is also the lead developer and founder of OpenBSD (Note: text not highlighted in original content)

I have received a mail regarding the early development of the OpenBSD IPSEC stack. It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack, in particular the IPSEC stack. Around 2000-2001.

Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.

The mail came in privately from a person I have not talked to for nearly 10 years. I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that
(a)   those who use the code can audit it for these problems,
(b)   those that are angry at the story can take other actions,
(c)   if it is not true, those who are being accused can defend themselves.

Of course I don’t like it when my private mail is forwarded. However the “little ethic” of a private mail being forwarded is much smaller than the “big ethic” of government paying companies to pay open source developers (a member of a community-of-friends) to insert privacy-invading holes in software.

So what de Raadt is saying is that while he is not sure about the allegations made by Perry, still he is making Perry’s email public so that the allegations could be probed into and the real facts be discovered. As I said earlier, it is not a small task to analyze tonnes of lines of low level software code and needs an expert panel or extremely dedicated individual efforts to do so.

So far nobody has confirmed nor denied about the existence of these backdoors in the mentioned source code. At the same time the source code has also undergone numerous changes since its inception in 2001 and has also been extensively used in later derived operating systems as well. So it is in everybody’s interests to validate the veracity of this allegation.

On the other hand, Jason Wright who has been alleged by Perry to be one of the developers who inserted the backdoor intrusion code inside the framework at the behest of FBI has responded by outrightly rejecting all the allegations. (Note: text not highlighted in original content)

I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF). The code I touched during that work relates mostly to device drivers to supportthe framework. I don’t believe I ever touched isakmpd or photurisd(userland key management programs), and I rarely touched the ipsecinternals (cryptodev and cryptosoft, yes).  However, I welcome an audit of everything I committed to OpenBSD’s tree.

I demand an apology from Greg Perry (cc’d) for this accusation.  Do not use my name to add credibility to your cloak and dagger fairytales.

Read Jason Wright’s complete response here.

Even Scott Lowe whose name has been mentioned by Perry as promoting OpenBSD due to his FBI affiliations has denied the charges saying,

… my advocacy (of OpenBSD) is strictly due to appreciation of the project and nothing more

Now did the code really have backdoors or not as alleged by Perry ? Only a complete audit of the code in question can reveal the truth. And if the allegation turns out to be true, then all derivative software which used the above mentioned open source code would have to be probably updated to remove the backdoor.

Andrew Hay, an analyst with The 451 Group, said the ability to slip something malicious into the OpenBSD code is possible but unlikely due to the possible political and social ramifications of the backdoor being discovered.

The ongoing discussion chain including de Raadt’s original email and the subsequent replies by Jason Wright could be found here. Allegations regarding OpenBSD IPSEC.

Hopefully in the coming days the code in question will be audited thoroughly and the real facts would be made public.

  Copyright secured by Digiprove © 2010