Backdoors at the Forefront

Backdoors are once again thrust into the forefront with this week’s breaking news that the NSA

allegedly hacked Chinese router company Huawei’s servers. Back in October 2012 the House

Intelligence Committee accused Huawei, which claims to interconnect one third of the Internet, of

embedding backdoors into routers and “posing a national security threat.” And thanks to another

Edward Snowden bombshell, we now know that the NSA took their own measures to ensure

perpetual access to Huawei routers.

Government espionage is nothing new. Although both sides in the example above dismiss the claims,

these recent developments confirm that the location of the battlefield is forever changed. Instead of

bullets and bombs, the new intelligence war is being fought with almost imperceptible bursts of

electricity. Reminds me of the classic AC/DC song “Dirty Deeds Done Dirty Cheap,” where they

poetically proclaim that, “For a fee I’m happy to be your backdoor man.”

Now this song was written back in 1976, so I don’t think Bon Scott and the boys had Back Orifice and

NetBus in mind. Back in 1976 the Apple I personal computer was just being released, and Microsoft

Windows 1.01 was still nine years in the future. The very notion of a backdoor into a computer

system wasn’t introduced into popular culture until the 1983 blockbuster movie “WarGames,” when

computer hacker Matthew Broderick stumbles across a backdoor on a military computer system.

Broderick successfully guesses the backdoor password “Joshua,” the name of the system

programmer’s dead son. After gaining access to the military computer system Broderick almost

unknowingly starts World War III. Back in 1983 the plot of WarGames seemed ridiculously farfetched,

but was it really?

Wikipedia defines a backdoor as “a method of bypassing normal authentication, securing

illegal remote access to a computer, obtaining access to plaintext, and so on, while attempting

to remain undetected.” If backdoors are illegal, they’re surely confined to underground

hackers, right? Sure, ever since the old days hackers certainly left backdoors on compromised

systems. Maybe they even got fancy and implemented port-knocking servers to conceal

backdoor Telnet or SSH services. But that’s ancient history; backdoors are now a crucial tool

within the realm of government and corporate espionage.

Consider the recent RSA scandal. The NSA allegedly paid RSA $10 million to utilize a

flawed pseudorandom number generator within their encryption products, effectively

embedding a backdoor and allowing the NSA to compromise seemingly encrypted

communications. From email messages to financial transactions to medical information, the

security of RSA encrypted communications is now compromised. Government pressure was

certainly a factor, but for a fee RSA was happy to be the NSA’s backdoor man. However, the

most shocking and appalling aspect of this story is that RSA’s core business is security, unlike

a networking or operating system company for which security is a necessary evil.

Backdoors are clearly nothing new. But now backdoors are all the rage. Consider a trip down

only the past two years of Memory Lane:

In May 2012 England’s The Guardian revealed that a computer chip used in the Boeing 787 contains a backdoor that could allow attackers to remotely control the chip from the Internet. The chip in question is utilized in flight critical applications on board the 787. In addition, the chip is utilized within military, automotive, and medical devices. Furthermore, the backdoor cannot be removed as it is embedded directly into the silicon. Fantastic.

In July 2013 The Guardian broke a story that Microsoft collaborated with the NSA in order to compromise encryption functionality embedded within Outlook.com, SkyDrive and Skype, allowing carte blanche access to seemingly encrypted email messages, cloud storage, and video calls. Microsoft argued that they were legally compelled to comply with NSA Prism initiatives.

In December 2013 Germany’s Spiegel Online revealed that the NSA developed a 50-page catalog of backdoors for a wide range of technology components including Western Digital hard drives, Dell servers, Juniper routers, and Cisco firewalls. In addition, the catalog included techniques to compromise iPhones. Do you know anybody with one of those? According to the report, the NSA can read contact lists and SMS messages, remotely activate the camera and microphone, and even pinpoint the phone’s geographic location. As an aside, isn’t it interesting that these major revelations are all coming from foreign media outlets? Could a gag order be in effect stateside?

Speaking of foreign countries, by no means does the United States own a monopoly on backdoors. A former Pentagon analyst estimated that China controls backdoors into a whopping 80% of telecommunications traffic. ZTE Corporation and the aforementioned Huawei are believed to be responsible for creating this colossal espionage mechanism. In addition, zero-day exploits are a booming business all over the world.

And of course backdoors aren’t reserved for the government sector. To quote another classic AC/DC song, “Come on, come on, listen to the money talk!” Malicious attackers sell access to botnets of compromised end-user computer systems for serious coin. Who knows, the device on which you’re reading this very blog post might already belong to a botnet. In addition, for a markup of several hundred dollars mSpy sells Android and iPhone devices with pre-installed backdoor functionality. To mention just of few of the privacy invasive features, the mSpy backdoor functionality allows you to read SMS and email messages, view pictures and videos, record telephone conversations, pinpoint GPS locations, and log keystrokes. As the site shamelessly advertises, are you afraid that your son’s “greasy haired buddies” are “troubled teens” that will punch his one way ticket to Stonerville? Then fork over $1,149 and invade his privacy with a loaded mSpy iPhone5S! Afraid that your significant other has cupcakes on the side? Then fork over $769 for an mSpy Nexus 5! Of course, mSpy does not

“endorse the use of our software for any illegal purposes.” And of course all sales are final. No, this whole racket doesn’t seem shady at all. Not one bit.

As you can see, backdoors are a red hot commodity in today’s evolving information security

landscape. Whether national governments or billion dollar corporations, backdoors are no

longer reserved for the realm of nerdy hackers munching on Cheetos and guzzling Mountain

Dew in front of their keyboard all night. And one thing is certain, for a fee hardware

manufacturers, software vendors, and zero-day exploit writers are willing to be your backdoor

man. However, the dirty deeds won’t be done dirt cheap; backdoors are a thriving and

immensely profitable business.