Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The 7 security backdoors that helped kill faith in security

John E Dunn | Feb. 1, 2016
Backdoors are surrounded by mystery, intrigue and excitement. They might also be ubiquitous

Backdoors in computing equipment are the stuff of legend. A decade ago a security expert informed me with absolute certainty that a prominent non-US networking company had designed them into its products for years as a matter of course as if nobody much cared about this fact. Long before the average citizen had heard the letters NSA, it struck me at the time as extraordinary suggestion. It was almost as if the deliberate compromise of an important piece of network equipment was a harmless novelty.

One assumed he was exaggerating but by the time Edward Snowden became a household were such stories suddenly sounded plausible, even obvious. Of course company X had inserted backdoors into its kit - everyone had.

Today, there are only a handful of designed backdoors that aren't careless simply security flaws but there is also the fear of them which seems to matter even more. With every passing year, more are being documented in a slow-motion scandal that looks as if it has a way to run. As paranoia runs free, the more backdoors there are the more backdoors are needed to counter them. There have even been backdoors in the backdoors, indeed this is probably the first response of some spooks to finding one where it is not wanted.

The 7 security backdoors that heped kill faith in security - But what is a backdoor?

For a start, a true backdoor is not something put there after the fact and should be - deliberately or accidentally - a consequence of a system's design. That ostensibly counts out malware such as Trojans which open backdoors by exploiting vulnerabilities but includes serious design flaws that were discovered after a system was shipped. Some will complain that is a grey area and they're right. The line between deliberate and convenient is not always clear. Any undocumented function that gives system power becomes a backdoor by definition.

Backdoors don't even have to be a secret - witness recent US and UK Government demands that they be placed in systems to allow what is described as legitimate police and intelligence access to counter criminality. It's also far from a new argument. In the early 1990s, the NSA proposed something called the Clipper Chip, a hardwired backdoor based on storing encryption keys in an escrow accessible to the Agency. The idea eventually went nowhere for the simple reason that almost nobody would want to use a system whose security depended on the honesty of the US Government or, for that matter, any government.

This is the informal first law of backdoors; once a backdoor becomes known, it leaks its power pretty rapidly. The backdoor only works as long as its existence is unknown or a matter of plausible deniability.

 

1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.