A disturbing report has been made public regarding the possibility of backdoors in the IPsec stack of OpenBSD having been inserted by people working for the FBI. For now, there is one allegation of this, in an e-mail from Gregory Perry, who has worked as an FBI consultant, to Theo de Raadt, the founder of OpenBSD. He says:
My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI.
Another claim, made via Twitter, suggests that attempts were made to implement these backdoors but that they were not successful. An audit of the code is underway, and those working on the audit point out that the “Backdoor is NOT confirmed.”
Perry’s e-mail mentions Scott Lowe as being a booster for OpenBSD and “advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments.” However, Mr. Lowe, who works for EMC, denies any involvement in this affair, and points out that there is another Scott Lowe who writes about virtualization, and who may be the person that Perry meant.
IPsec, or Internet Protocol Security, is a protocol suite used for securing VPNs. IPsec stacks used in Mac OS X (Darwin, based on FreeBSD) were partly taken from this code, and there is a possibility that, if such backdoors are present, Mac OS X may be affected. In addition, parts of this code may be found in other security suites and frameworks on a variety of operating systems.
There is, as yet, no confirmation of this allegation. Nevertheless, it is being taken very seriously by the security community, and many people have launched audits and investigations of the code in question. It may take some time to confirm or refute this allegation.
We will be following up on this, and, naturally, if Mac OS X is affected, we will apprise our readers of this problem as soon as possible. There is no reason to not use a VPN on Mac OS X in the meantime; if such backdoors exist, they are likely only accessible by the FBI (or other US security agencies), and, unless you are worried about such agencies getting information that you are sending over a VPN, you are probably safe.