FBI accused of installing backdoor in OpenBSD operating system

Former contractor says agency was eavesdropping on VPNs used by U.S. attorneys

Editor's note: This story was updated at 9 a.m. Dec. 16 to add comments from Jason Wright.

A former FBI consultant claims the FBI had backdoors installed in the supposedly secure OpenBSD operating system to allow the agency to eavesdrop on virtual private networks used by U.S. attorneys nearly a decade ago.

Gregory Perry, now CEO of GoVirtual Education, made the allegation Dec. 11 in a personal e-mail to OpenBSD founder Theo de Raadt, who published it three days later on the OpenBSD Tech mailing list.

“That message sent to Theo was not intended for public consumption but rather as a call to audit the OpenBSD codebase, which has been used to create derivative products in the thousands,” Perry told GCN.

Jason Wright, a developer named by Perry as one of those who inserted backdoor software and who now is an engineer at the Energy Department’s Idaho National Laboratory, denied the allegation in his own posting, calling it a “cloak and dagger fairy tale.”

“I will state clearly that I did not add backdoors to the OpenBSD operating system or the Open BSD crypto framework,” he wrote. “I welcome an audit of everything I committed to OpenBSD’s tree.”

Wright demanded an apology from Perry and chastised de Raadt for publishing the accusation with no warning to him.

De Raadt in his posting agreed that publishing a personal message was troublesome. “However, the ‘little ethic’ of a private mail being forwarded is much smaller than the ‘big ethic’ of government paying companies to pay open-source developers to insert privacy-invading holes in software.”

The backdoor was supposedly included in the IPSEC stack that provides cryptography for VPNs. Access to cryptographic keys could allow an eavesdropper to decipher VPN traffic.


Related stories:

Is open-source software secure or not?

DHS aims to bring open-source software to state and local agencies


“Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are,” de Raadt wrote in his post.

De Raadt said he was publishing the accusation so that the software’s code could be checked for problems. “We are auditing code at the moment trying to find non-obvious mistakes and at the same time waiting to see if any other facts come up,” he told GCN.

So far there have been no reports that back-door code has been found in the software. The FBI did not immediately return requests for comment.

OpenBSD is a Unix-based operating system developed from the Berkeley Software Distribution. De Raadt established the project in Canada in 1995 after leaving the NetBSD project, and the first version was released in 1996. There have been new releases about every six months. The current version, 4.8, was released in November.

Hardware platforms supported by OpenBSD are:

  • Digital Alpha-based systems.
  • AMD64-based systems.
  • ARM-based appliances (by Thecus, IO-DATA, and others).
  • Hewlett-Packard HP 9000 series 300 and 400 workstations.
  • Hewlett-Packard Precision Architecture (PA-RISC) systems.
  • Standard PC and clones based on the Intel i386 architecture and compatible processors.
  • IO-DATA Landisk systems (such as USL-5P) based on the SH4 CPU.
  • Loongson 2E- and 2F-based systems, such as the Lemote Fuloong and Yeeloong, Gdium Liberty, etc.
  • Apple New World PowerPC-based machines, from the iMac onward.
  • Motorola 680x0-based VME systems.
  • Motorola 881x0-based VME systems.
  • SGI MIPS-based workstations.
  • Freescale PowerPC SoC-based machines.
  • Sun sun4, sun4c, sun4e and sun4m class SPARC systems.
  • Sun UltraSPARC and Fujitsu SPARC64 systems.
  • Digital VAX-based systems.
  • Sharp Zaurus C3x00 PDAs.

Perry said he was working as a consultant for the FBI with the GSA Technical Support Center, which he described as “a cryptographic reverse-engineering project aimed at back-dooring and implementing key escrow mechanisms for smart card and other hardware-based computing technologies.” He said the backdoors were explicitly to monitor VPN traffic of the Executive Office for U.S. Attorneys, a DOJ office that acts as a liaison between the department and the 93 U.S. attorneys across the country.

“This is not new to the FBI, they have been creating these types of alliances for quite some time now, with InfraGard being the best example of how the FBI interfaces with the commercial sector to accomplish their goals,” Perry told GCN.

He said that by the late 1990s there was official uneasiness about the FBI assuming any role in cryptographic export controls and that the agency’s efforts were redirected toward efforts such as the GSA Technical Support Center and partnerships with communications providers.

Reader Comments

Mon, Dec 20, 2010

As someone who is familiar with this contract at the time, I can corroborate the comments on this article from earlier today. Mr. Perry's quote that "he was working as a consultant for the FBI with the GSA Technical Support Center" is factually incorrect. He was not an FBI consultant. Work for the FBI was not in the scope of this contract.

Mon, Dec 20, 2010

This claim by Greg Perry was fabricated by weaving unrelated facts into a nefarious and fictitious plot. His claim to have been working the FBI is not factual. The company's contract was with EOUSA. Mr. Perry's claim of FBI involvement is based soley on his incorrect statement that the FBI is part of EOUSA. Anyone with a brain and a web browser can look at DoJ's public org chart and see that EOUSA and the FBI are separate bureaus within DOJ. The only reason this story got any attention is that it aggregates a few real names and events into a decade-old fiction that is difficult to refute due to its age.

Mon, Dec 20, 2010 Jeffrey A. Williams

Configuration/implimentation post install is crucial. Wheather or not there were back doors built into OpenBSD would be questionable as to if any of the data sought and IF collected would be admissable under the federal rules of evidence. If indeed there were back doors provided for sometime directly after implimentation testing started those should have been revealed or recognized unless very well done so as not to be detectable, which is possible but unlikely.

Thu, Dec 16, 2010 Govt. IT personnel Detroit

Open-source software is very secure if configured incorrectly post-install, Open-source like any other OS is not secure if it is incorrectly configured post-install.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above