We Examine the Double-Edged Swords of the Cybersecurity World
Its not in your pocket. Not in the car. Not in your bag. Where could your key be? You need a way to get in your place. So, you call a locksmith, who can use his tools to provide another way inside.
But what if were talking encryption instead? There are no locksmiths in the cryptography world. What gets encrypted stays encrypted (unless youre the owner). Theoretically, at least. One exception to that rule is encryption backdoors.
Encryption backdoors are a simple concept. Think of them like the spare key you hide under the rock in your yard. Theyre a weakness that allows for entry in case of a loss of access or an emergency. They can be maliciously created by malware or intentionally placed in either hardware or software. There has been much debate about encryption backdoors because the two main debaters are viewing the issue from very different perspectives. On one hand, they allow for a way in if the situation requires it. But on the other hand, they can and most likely will be found by attackers.
So how do encryption backdoors work exactly? In what circumstances have they been used in the past? And what are the arguments for and against their deployment?
Lets hash it out.
An encryption backdoor is any method that allows a user (whether authorized or not) to bypass encryption and gain access to a system. Encryption backdoors are similar in theory to vulnerabilities, especially with regards to functionality. Both offer a non-standard way for a user to enter a system as they please. The difference lies in the human train of thought behind them. Encryption backdoors are deliberately put in place, either by software developers or attackers. Vulnerabilities, however, are accidental in nature.
In the world of cyberthreats, backdoors are among the most discreet kind. Theyre the polar opposite of something like ransomware, which is the cyber-equivalent of grabbing the user and slapping them in the face repeatedly. Encryption backdoors are well hidden, lurk in the background, and are only known by a very small group of people. Only the developers and a handful of select users that require the capabilities that the backdoor provides should be aware of its existence.
The power and versatility of backdoors has made them very popular among cybercriminals. In fact, a 2019 study by Malwarebytes found that backdoors in general, including encryption backdoors, were number four on the list of most common threats faced by both consumers and businesses. The report also discovered that the use of backdoors is on the rise, with a 34% increase in detections for consumers and a whopping 173% increase for businesses, compared to the previous year. Considering encryption backdoors are one of the primary types of backdoors, their use is no doubt on the rise, as well.
Its more important than ever to be aware of encryption backdoors and how they work. Since they can be used for either good or evil, its not always the most straightforward subject. Lets look at both sides of the coin by taking a closer at the different ways they are put into practice.
Some backdoors are are intended to help users, and others are intended to hurt them. Were going to classify backdoors into two primary types based on the result theyre designed to achieve malware backdoors and built-in backdoors.
Well start with the bad guys first. They create backdoor malware for nefarious means, such as stealing personal data, accessing your financial records, loading additional types of malware onto your system, or completely taking over your device.
Backdoor malware is considered a type of Trojan, which means that it aims to disguise itself as something completely different from its true form. You may think youre downloading a regular old Word document or a trusted piece of software from a file-sharing site, but youre actually getting something thats going to open up a backdoor on your system that an attacker can use to access whenever they want.
Backdoor malware, like Trojans, can also be capable of copying itself and distributing the copies across networks to other systems. They can do this all automatically without any input required from the hacker.
These backdoors can then be used as a means to an end for further attacks, such as:
For instance, maybe you download a free file converter. You go to use it and it doesnt seem to work properly (spoiler alert it was never intended to) so you go and uninstall it from your system. Unbeknownst to you though, the converter was actually backdoor malware, and you now have a wide-open backdoor on your system.
Attackers can go a step further and create a backdoor using a functional piece of software. Perhaps you downloaded a widget that displays regularly updated stock prices. You install it and it works just fine. Nothing seems amiss. But little did you know, it also opened a backdoor on your machine.
For cybercriminals, thats usually just the first step getting their foot in the door. A common avenue for hackers to go down at this point is deploying a rootkit. The rootkit is a collection of malware that serves to make itself invisible and conceal network activity from you and your PC. Think of a rootkit like a doorstop that keeps the point of access open to the attacker.
Rootkits and backdoor malware in general can be difficult to detect, so be careful when browsing, avoid files from unknown or untrusted sources, keep your applications & OS updated, and take advantage of anti-virus and anti-malware programs.
Its not all bad when it comes to encryption backdoors, however. As we touched on, they can be used for ethical purposes, too. Perhaps a user is locked out of critical information or services and doesnt have any other way to get in. An encryption backdoor can restore access. They can also be of help when troubleshooting software issues, or even be used to access information that can help solve crimes or find a missing person or object.
Built-in backdoors are purposely deployed by hardware and software developers, and they arent usually created with nefarious means in mind. Oftentimes theyre simply part of the development process. Backdoors are used by developers so they can more easily navigate the applications as theyre coding, testing, and fixing bugs. Without a backdoor, theyd have to jump through more hoops like creating a real account, entering personal information thats usually required for regular users, confirming their email address, etc.
Backdoors like these arent meant to be part of the final product, but sometimes they get left in by accident. As with a vulnerability, theres a chance that the backdoor will be discovered and used by attackers.
The other main category of built-in backdoors is those that are requested by national governments and intelligence agencies. The governments of the Five Eyes (FVEY) intelligence alliance, Australia, Canada, New Zealand, the United Kingdom, and the United States, have repeatedly requested that tech and software companies install backdoors in their products. Their rationale is that these backdoors can help find critical evidence for use in criminal investigations. Apple, Facebook, and Google have all said no to these requests.
If a company does agree to installing a backdoor however, then it usually happens somewhere in the supply chain, where it is appropriately referred to as a supply chain backdoor. Its because it occurs during the manufacturing and/or development process when the components of the product are still floating around at some point in the supply chain. For instance, a backdoor could be loaded onto a microprocessor at the chip makers facility, whereafter it gets sent to various OEMs for use in consumer products. Or it could be loaded as the finished product is being sent to the consumer. For example, a government agency could intercept a shipment of devices meant for an end-user and load a backdoor via a firmware update. Encryption backdoors can be installed with the knowledge of the manufacturer or done covertly.
Supply chain backdoors can occur during the software development process, as well. Open-source code has many advantages for developers, saving time and resources instead of reinventing the wheel. Functional and proven libraries, applications, and development tools are created and maintained for the greater good, free for all to use. It has proven to be an efficient and powerful system.
Except, of course, when a backdoor is intentionally planted somewhere. Contributions to open-source code are always subject to review and scrutiny, but there are times when a malicious backdoor can slip through the cracks and make its way out to developers and eventually users. In fact, GitHub found in a 2020 report that nearly one in five software bugs were intentionally created for malicious purposes.
Lets take a look at some of the most significant and well known instances of encryption backdoors, and the consequences associated with their use:
The debate around the existence of encryption backdoors, and particularly built-in backdoors, has been raging on for decades. Thanks to the shades of grey nature of their intended and actual uses, the debate shows no sign of slowing down anytime soon. Especially considering that the main proponent of encryption backdoors, national governments, is also the only party that could legally outlaw them. So, what are the two sides of the argument?
The members of the Five Eyes alliance argue that built-in encryption backdoors are a must for maintaining national and global security. Then-FBI Director Christopher Wray attempted to sum up the US governments position in 2018, explaining
Were not looking for a back doorwhich I understand to mean some type of secret, insecure means of access. What were asking for is the ability to access the device once weve obtained a warrant from an independent judge, who has said we have probable cause.
Government officials often point out that what they truly desire is more like a front door that can grant access and decryption only in situations that meet certain criteria. The theory is that it would be something only the good guys can use.
Those in favor of backdoors argue that the technological gap between the authorities and cybercriminals is growing, and that the legal and technological powers of law enforcement agencies arent currently enough to keep up. Hence, the need for a shortcut, a secret way in.
In other instances, authorities simply need access to gain evidence and information regarding a case. Numerous criminal investigations have been held up because locked phones couldnt be accessed. And after all, isnt the information in a phone the kind that police would normally have the right to access with a search warrant?
A common solution that is proposed by supporters of built-in backdoors is the use of whats called a key escrow system. The concept is that a trusted third party would act as a secure repository for keys, allowing for decryption if law enforcement can get legal permission to do so.
Key escrow is often used internally by companies in case access to their own data is lost. When it comes to public use though, its a system that is challenging and costly to implement. Theres also a large security risk, since all an attacker would need to do to decrypt something is gain access to the key storage location.
A front door for the good guys sounds great in theory. The problem is, functionally, there isnt much difference between that and an encryption backdoor. A hacker will be able to find their way in if it exists, no matter what you want to call it. Its for this reason that most of the big tech companies dont want encryption backdoors in their products. Because then they will be putting their brand name on insecure products that come with out-of-the-box vulnerabilities.
Even if the manufacturer and/or the government are the only ones to initially know about the backdoor, its inevitable that attackers will eventually discover it. On the large scale, a proliferation of backdoors would almost certainly result in an increase of cybercrimes and create a massive black market of exploits. There could be severe and far-reaching impacts for the public-at-large. For instance, utility infrastructure and critical systems could suddenly be left wide open to attacks from threats both at home and abroad.
There is also the question of privacy when it comes to encryption backdoors. If backdoors are everywhere, then suddenly a government can eavesdrop on citizens and view their personal data as they wish. Even if they didnt at first, the possibility is still there, and its a slippery slope that gets more slippery with time. A hostile and immoral government, for example, could use a backdoor to locate dissidents that are speaking out against the regime and silence them.
Overall, when it comes to encryption, theres a few basics that are absolutely required in order for it to be effective:
Backdoors compromise the second point (and in some cases the first), and in that sense they defeat the entire purpose of encrypting data in the first place.
The refusal of the giant technology companies to grant encryption backdoors, particularly Apples actions in 2015, has thus far prevented the setting of any legal precedents for backdoors. If any of them had acquiesced, then more encryption backdoors would have no doubt been created moving forward. While encryption backdoors can result in positive outcomes in certain cases, they also come at the price of exposing our devices to greater risk of attack.
These risks are already increasing, independent of backdoors, thanks to the Internet of Things and proliferation of smart devices all over our homes and workplaces. An attacker could compromise an IoT device and work their way up the chain of connections to your own PC, and backdoors make it even easier.
In one corner, you have security experts and privacy advocates in favor of maintaining the strongest possible encryption measures and practices. In the opposite corner you have governments that want backdoors to help solve crimes and maintain public safety. The discussion shows no signs of slowing up and will most likely intensify as technology continues to evolve and spread.
Either way, you and I must continue to protect our own data as best we can. We cant necessarily prevent an attack via a built-in backdoor that we dont even know exists, but we can employ an intelligent mix of security software and best practices to help mitigate the risk of malware backdoors. Make sure your data is encrypted with an encryption algorithm you trust, and that you have full control over the encryption key. If theres a possibility that someone else has a key for your data, then its not secure.
See the original post:
All About Encryption Backdoors - Hashed Out by The SSL Store - Hashed Out by The SSL Store
Read More..