We Examine the Double-Edged Swords of the Cybersecurity World
It’s not in your pocket. Not in the car. Not in your bag. Where could your key be? You need a way to get in your place. So, you call a locksmith, who can use his tools to provide another way inside.
But what if we’re talking encryption instead? There are no locksmiths in the cryptography world. What gets encrypted stays encrypted (unless you’re the owner). Theoretically, at least. One exception to that rule is encryption backdoors.
Encryption backdoors are a simple concept. Think of them like the spare key you hide under the rock in your yard. They’re a weakness that allows for entry in case of a loss of access or an emergency. They can be maliciously created by malware or intentionally placed in either hardware or software. There has been much debate about encryption backdoors because the two main sides are viewing the issue from very different perspectives. On one hand, they allow for a way in if the situation requires it. But on the other hand, they can and most likely will be found by attackers.
So how do encryption backdoors work exactly? In what circumstances have they been used in the past? And what are the arguments for and against their deployment?
Let’s hash it out.
What is an Encryption Backdoor?
An encryption backdoor is any method that allows a user (whether authorized or not) to bypass encryption and gain access to a system. Encryption backdoors are similar in theory to vulnerabilities, especially with regards to functionality. Both offer a non-standard way for a user to enter a system as they please. The difference lies in the human train of thought behind them. Encryption backdoors are deliberately put in place, either by software developers or attackers. Vulnerabilities, however, are accidental in nature.
In the world of cyberthreats, backdoors are among the most discreet kind. They’re the polar opposite of something like ransomware, which is the cyber-equivalent of grabbing the user and slapping them in the face repeatedly. Encryption backdoors are well hidden, lurk in the background, and are only known by a very small group of people. Only the developers and a handful of select users that require the capabilities that the backdoor provides should be aware of its existence.
The power and versatility of backdoors has made them very popular among cybercriminals. In fact, a 2019 study by Malwarebytes found that backdoors in general, including encryption backdoors, were number four on the list of most common threats faced by both consumers and businesses. The report also discovered that the use of backdoors is on the rise, with a 34% increase in detections for consumers and a whopping 173% increase for businesses, compared to the previous year. Considering encryption backdoors are one of the primary types of backdoors, their use is no doubt on the rise, as well.
It’s more important than ever to be aware of encryption backdoors and how they work. Since they can be used for either good or evil, it’s not always the most straightforward subject. Let’s look at both sides of the coin by taking a closer at the different ways they are put into practice.
How Are Encryption Backdoors Used?
Some backdoors are are intended to help users, and others are intended to hurt them. We’re going to classify backdoors into two primary types based on the result they’re designed to achieve – malware backdoors and built-in backdoors.
We’ll start with the bad guys first. They create backdoor malware for nefarious means, such as stealing personal data, accessing your financial records, loading additional types of malware onto your system, or completely taking over your device.
Backdoor malware is considered a type of Trojan, which means that it aims to disguise itself as something completely different from its true form. You may think you’re downloading a regular old Word document or a trusted piece of software from a file-sharing site, but you’re actually getting something that’s going to open up a backdoor on your system that an attacker can use to access whenever they want.
Backdoor malware, like Trojans, can also be capable of copying itself and distributing the copies across networks to other systems. They can do this all automatically without any input required from the hacker.
These backdoors can then be used as a means to an end for further attacks, such as:
- Using your PC in a DDOS attack
For instance, maybe you download a free file converter. You go to use it and it doesn’t seem to work properly (spoiler alert – it was never intended to) so you go and uninstall it from your system. Unbeknownst to you though, the converter was actually backdoor malware, and you now have a wide-open backdoor on your system.
Attackers can go a step further and create a backdoor using a functional piece of software. Perhaps you downloaded a widget that displays regularly updated stock prices. You install it and it works just fine. Nothing seems amiss. But little did you know, it also opened a backdoor on your machine.
For cybercriminals, that’s usually just the first step –getting their foot in the door. A common avenue for hackers to go down at this point is deploying a rootkit. The rootkit is a collection of malware that serves to make itself invisible and conceal network activity from you and your PC. Think of a rootkit like a doorstop that keeps the point of access open to the attacker.
Rootkits and backdoor malware in general can be difficult to detect, so be careful when browsing, avoid files from unknown or untrusted sources, keep your applications & OS updated, and take advantage of anti-virus and anti-malware programs.
It’s not all bad when it comes to encryption backdoors, however. As we touched on, they can be used for ethical purposes, too. Perhaps a user is locked out of critical information or services and doesn’t have any other way to get in. An encryption backdoor can restore access. They can also be of help when troubleshooting software issues, or even be used to access information that can help solve crimes or find a missing person or object.
Built-in backdoors are purposely deployed by hardware and software developers, and they aren’t usually created with nefarious means in mind. Oftentimes they’re simply part of the development process. Backdoors are used by developers so they can more easily navigate the applications as they’re coding, testing, and fixing bugs. Without a backdoor, they’d have to jump through more hoops like creating a “real” account, entering personal information that’s usually required for regular users, confirming their email address, etc.
Backdoors like these aren’t meant to be part of the final product, but sometimes they get left in by accident. As with a vulnerability, there’s a chance that the backdoor will be discovered and used by attackers.
The other main category of built-in backdoors is those that are requested by national governments and intelligence agencies. The governments of the Five Eyes (FVEY) intelligence alliance, Australia, Canada, New Zealand, the United Kingdom, and the United States, have repeatedly requested that tech and software companies install backdoors in their products. Their rationale is that these backdoors can help find critical evidence for use in criminal investigations. Apple, Facebook, and Google have all said no to these requests.
If a company does agree to installing a backdoor however, then it usually happens somewhere in the supply chain, where it is appropriately referred to as a “supply chain backdoor.” It’s because it occurs during the manufacturing and/or development process when the components of the product are still floating around at some point in the supply chain. For instance, a backdoor could be loaded onto a microprocessor at the chip maker’s facility, whereafter it gets sent to various OEMs for use in consumer products. Or it could be loaded as the finished product is being sent to the consumer. For example, a government agency could intercept a shipment of devices meant for an end-user and load a backdoor via a firmware update. Encryption backdoors can be installed with the knowledge of the manufacturer or done covertly.
Supply chain backdoors can occur during the software development process, as well. Open-source code has many advantages for developers, saving time and resources instead of reinventing the wheel. Functional and proven libraries, applications, and development tools are created and maintained for the greater good, free for all to use. It has proven to be an efficient and powerful system.
Except, of course, when a backdoor is intentionally planted somewhere. Contributions to open-source code are always subject to review and scrutiny, but there are times when a malicious backdoor can slip through the cracks and make its way out to developers and eventually users. In fact, GitHub found in a 2020 report that nearly one in five software bugs were intentionally created for malicious purposes.
Encryption Backdoors in the Real World
Let’s take a look at some of the most significant and well known instances of encryption backdoors, and the consequences associated with their use:
- 1993 – Clipper Chip – While there were previous encryption backdoors prior to this, the Clipper Chip of 1993 was the first to gain major mainstream attention. The chip was an effort by the NSA to create a security system that, while sufficiently secure, could also be cracked at will by investigators if the need arose. The way it worked was that an 80-bit key was burned into the chip as it was manufactured. A copy of that key was held in escrow, and government agents with sufficient clearance could access it. The concept was met with heavy resistance within the industry, never quite got off the ground, and was dead within a few years.
- 2005 – Sony BMG – A decade and a half ago, while you were busy listening to 50 Cent or Mariah Carey, Sony was shipping millions of CD’s containing a rootkit. Intended as a copyright protection measure, it would automatically install itself on your PC when the CD was inserted. Not only did it try and prevent you from burning CDs, but it also spied on your listening habits and opened a backdoor on your machine. Sony faced a wave of lawsuits as a result, recalling the CDs in question and paying out millions in damages.
- 2013 – Edward Snowden – One of the many revelations that came as a result of Snowden’s leaks was that the government had, in numerous instances, intercepted network gear en route to an end user and loaded compromised firmware on it. The firmware, of course, contained a backdoor that the NSA could (and often did) use to gain access to the user’s network.
- 2014 – Emotet – A malware strain, and more specifically a banking Trojan, Emotet is essentially an information stealer. It was originally intended for gathering sensitive financial data but is now used primarily as a backdoor. As of 2019, it was still one of the most prevalent threats in cyberspace and is commonly used as a starting point for launching ransomware attacks.
- 2015 – Apple – Apple has continuously refused to put backdoors in their products, despite repeated requests from the US government. The most high-profile instance happened in 2015, following the San Bernardino terrorist attacks. The FBI found an iPhone that was owned by one of the perpetrators and asked Apple to help unlock it. Apple said no and even made a concerted effort to make their devices harder to crack moving forward. The FBI was eventually able to use a third-party to access the phone.
- 2017 – WordPress Plugins – An SEO scam in 2017 ended up affecting over 300,000 WordPress sites, revolving around a WordPress plugin “Simply WordPress.” It was a CAPCHA plugin that did more than advertised, unfortunately. It came with a “feature” that opened a backdoor that provided admin access to the site it was installed on.
The Debate About Encryption Backdoors
The debate around the existence of encryption backdoors, and particularly built-in backdoors, has been raging on for decades. Thanks to the “shades of grey” nature of their intended and actual uses, the debate shows no sign of slowing down anytime soon. Especially considering that the main proponent of encryption backdoors, national governments, is also the only party that could legally outlaw them. So, what are the two sides of the argument?
The Pros of Encryption Backdoors
The members of the Five Eyes alliance argue that built-in encryption backdoors are a must for maintaining national and global security. Then-FBI Director Christopher Wray attempted to sum up the US government’s position in 2018, explaining
“We’re not looking for a ‘back door’—which I understand to mean some type of secret, insecure means of access. What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause.”
Government officials often point out that what they truly desire is more like a “front door” that can grant access and decryption only in situations that meet certain criteria. The theory is that it would be something only the “good guys” can use.
Those in favor of backdoors argue that the technological gap between the authorities and cybercriminals is growing, and that the legal and technological powers of law enforcement agencies aren’t currently enough to keep up. Hence, the need for a shortcut, a secret way in.
In other instances, authorities simply need access to gain evidence and information regarding a case. Numerous criminal investigations have been held up because locked phones couldn’t be accessed. And after all, isn’t the information in a phone the kind that police would normally have the right to access with a search warrant?
Key Escrow Backdoors
A common solution that is proposed by supporters of built-in backdoors is the use of what’s called a “key escrow” system. The concept is that a trusted third party would act as a secure repository for keys, allowing for decryption if law enforcement can get legal permission to do so.
Key escrow is often used internally by companies in case access to their own data is lost. When it comes to public use though, it’s a system that is challenging and costly to implement. There’s also a large security risk, since all an attacker would need to do to decrypt something is gain access to the key storage location.
The Cons of Encryption Backdoors
A “front door” for the good guys sounds great in theory. The problem is, functionally, there isn’t much difference between that and an encryption backdoor. A hacker will be able to find their way in if it exists, no matter what you want to call it. It’s for this reason that most of the big tech companies don’t want encryption backdoors in their products. Because then they will be putting their brand name on insecure products that come with out-of-the-box vulnerabilities.
Even if the manufacturer and/or the government are the only ones to initially know about the backdoor, it’s inevitable that attackers will eventually discover it. On the large scale, a proliferation of backdoors would almost certainly result in an increase of cybercrimes and create a massive black market of exploits. There could be severe and far-reaching impacts for the public-at-large. For instance, utility infrastructure and critical systems could suddenly be left wide open to attacks from threats both at home and abroad.
There is also the question of privacy when it comes to encryption backdoors. If backdoors are everywhere, then suddenly a government can eavesdrop on citizens and view their personal data as they wish. Even if they didn’t at first, the possibility is still there, and it’s a slippery slope that gets more slippery with time. A hostile and immoral government, for example, could use a backdoor to locate dissidents that are speaking out against the regime and silence them.
Overall, when it comes to encryption, there’s a few basics that are absolutely required in order for it to be effective:
- The data can’t be decrypted without the decryption key
- The decryption key can only be accessed by the owner
Backdoors compromise the second point (and in some cases the first), and in that sense they defeat the entire purpose of encrypting data in the first place.
The Future of Encryption Backdoors
The refusal of the giant technology companies to grant encryption backdoors, particularly Apple’s actions in 2015, has thus far prevented the setting of any legal precedents for backdoors. If any of them had acquiesced, then more encryption backdoors would have no doubt been created moving forward. While encryption backdoors can result in positive outcomes in certain cases, they also come at the price of exposing our devices to greater risk of attack.
These risks are already increasing, independent of backdoors, thanks to the Internet of Things and proliferation of “smart” devices all over our homes and workplaces. An attacker could compromise an IoT device and work their way up the chain of connections to your own PC, and backdoors make it even easier.
In one corner, you have security experts and privacy advocates in favor of maintaining the strongest possible encryption measures and practices. In the opposite corner you have governments that want backdoors to help solve crimes and maintain public safety. The discussion shows no signs of slowing up and will most likely intensify as technology continues to evolve and spread.
Either way, you and I must continue to protect our own data as best we can. We can’t necessarily prevent an attack via a built-in backdoor that we don’t even know exists, but we can employ an intelligent mix of security software and best practices to help mitigate the risk of malware backdoors. Make sure your data is encrypted with an encryption algorithm you trust, and that you have full control over the encryption key. If there’s a possibility that someone else has a key for your data, then it’s not secure.