Former contractor says FBI put backdoor in OpenBSD

Backdoor code was allegedly added to the IPsec stack 10 years ago, giving the FBI secret ways to snoop on encrypted traffic

A former government contractor says that the U.S. Federal Bureau of Investigation installed a number of backdoors into the encryption software used by the OpenBSD operating system.

The allegations were made public Tuesday by Theo de Raadt, the lead developer in the OpenBSD project. DeRaadt posted an email sent by the former contractor, Gregory Perry, so that the matter could be publicly scrutinized.

[ Keep up on the day's tech news headlines with InfoWorld's Today's Headlines: Wrap Up newsletter. ]

"The mail came in privately from a person I have not talked to for nearly 10 years," he wrote in his a posting to an OpenBSD discussion list. "I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public."

No one has come forward to corroborate Perry's story, but the allegations are remarkable. If they're true -- and at present they're being greeted with skepticism by the security community -- they mean that the FBI may have developed secret ways to snoop on encrypted traffic and then hidden them in source code submissions accepted by OpenBSD.

Perry is now CEO with a VMware services company called GoVirtual, but 10 years ago -- when the backdoor code was allegedly added to OpenBSD's IPsec stack -- he was a government contractor working for the FBI, he said.

In an email interview, Perry said that the backdoor code was developed to give the FBI a way to monitor encrypted communications within the U.S. Department of Justice. Perry says he worked with the FBI while he was chief technology officer at a company called Netsec, and was a contractor at the FBI's Technical Support Center, which was set up in the late 1990s to help law enforcement circumvent encryption techniques used by criminals.

There, Perry helped develop encryption cracking techniques, including what are known as side channel attacks -- these are ways of finding secret information by looking in unexpected places -- figuring out passwords by looking at the amount of time it takes the computer to process different characters, for example.

One project Perry worked on, a VPN system used by the U.S. Department of Justice "later proved to have been backdoored by the FBI so that they could recover (potentially) grand jury information from various US Attorney sites across the United States and abroad," Perry said.

An FBI spokesman was unable to comment on the matter.

Perry said he sent the email to de Raadt because his non-disclosure agreement with the FBI had expired.

Perhaps the most remarkable thing about the whole matter is that de Raadt decided to go public with claims that could undermine the credibility of his software. OpenBSD is open source software and its components are widely used in other Unix-based operating systems.

"I don't know many people or many companies who would have done this," said Dan Kaminsky, a well-known security consultant, who has worked with the OpenBSD project on security issues.

In his email, de Raadt said that by going open with the allegations, he's giving users a chance to audit their code, and the people accused of writing the backdoors a chance to defend themselves.

One person quickly came forward Tuesday to say he never worked for the FBI, as alleged by Perry. "I don't know where the person who started this rumor got his information, but he is sadly mistaken regarding my involvement," wrote Scott Lowe, a virtualization expert at EMC.

It's possible that Perry's claims of an FBI backdoor are true, Kaminsky said, but he's skeptical. "There's no way of really knowing. I guess the big question I have is is this guy going to be speaking publicly about his accusations?" he said. "Can anyone even trace back that he would conceivably have been under this NDA."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's email address is robert_mcmillan@idg.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies