WTF is a backdoor?

by admin January 30, 2017 at 4:25 am

The last two decades have seen a steady migration from analog to digital means for communication and the storage of information.

Following closely behind (sometimes not closely enough, as some have found to their peril) was the drive to keep that information secure. The threat of hacking and the desire to assure users of their privacy has led to the encryption of data while it is both at rest and in transmission becoming standard practice. And, just as a bank can’t open a secure deposit box to which only you have the key, proper encryption means that even the companies providing and hosting services can’t access that data unless you authorize it.

But even the strongest safe or door will succumb to drill or explosives. Advances in cryptography methods and increases in computing power have created encryption that cannot be reversed in a realistic timeframe. For the first time in history, people have a way of securing their communications quickly, automatically, and at will from any threat, be it hackers or government snoops.

Good for us — but for the FBI and the police, it’s a calamity. Where once they could pry open locked drawers to find incriminating letters, or force a company to reveal private records, now everything depends on the willingness of the owner to allow that information to be decrypted.

Since they can’t go through the front door, so to speak, they have asked repeatedly for a back door. But what exactly is a backdoor, and why should you care?

A unique threat

The concept of a backdoor is simple to state but not so simple to definitively pin down. Like the back door of a house, a crypto backdoor (generally written as a single word) is a way to circumvent the locks and protections of the main entrance in order to walk in unobstructed and make oneself comfortable. A backdoor could be in a phone, laptop, router, security camera — any device, really.

But backdoors are different from other means of bypassing traditional security. Security researcher Jonathan Zdziarski provides a useful framework for distinguishing a backdoor from a bug, exploit, or administrative access.

First, backdoors operate without consent of the computer system’s owner. This excludes things like administrative access to employee emails, something people often consent to as part of a job, or Comcast maintaining a separate login for your router for troubleshooting purposes. But if the Comcast adds another, secret login, that meets the standard.

Second, the actions performed by backdoors are at odds to the stated purpose of the system. Say a device claims to keep your messages safe; the manufacturer may have a way to install updates on it to keep it functional, which is perfectly compatible with its intended purpose. If, however, the device includes a way of accessing your messages without your knowledge, that’s counter to the intended purpose and qualifies.

Third, backdoors are under the control of undisclosed actors. Many viruses and worms operate more or less autonomously, harvesting information or spamming your contacts; unless a third party is directing their actions (as in ransomware or botnets), they don’t count as backdoors — since there’s nowhere to go through it.

Knock knock

Many Americans will have recently heard the word “backdoor” during the FBI’s high-profile dispute with Apple, which provides a useful example for defining the term. In the course of a terrorism investigation, the FBI tried to force Apple to create code that would unlock an iPhone at the request of law enforcement. Apple CEO Tim Cook wrote at the time, “The U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.”

The FBI was asking Apple to build software that would operate without the consent of the device owner, decrypt a version of iOS that promised robust encryption, and remain under the secretive control of the FBI — meeting all three conditions set out above.

But backdoors are far from a new phenomenon, and don’t have to take the form of a piece of software installed in an otherwise free device. One example of deeper integration dates back to 1992.

That year, under the direction of the NSA, the company Mykotronx made a dedicated chip for encrypting telephone communications on lines where secrecy and privacy were important, for example in R&D or at an embassy. This “Clipper Chip” was a replacement for an existing chip, and featured an important addition: a “Law Enforcement Access Field” into which a code could be entered to bypass the device’s encryption altogether.

Source link

more news from the blog

Add Comment