I've always been inordinately fascinated by back doors. I often wonder what's behind them as I stroll along downtown alleyways (though mostly in my imagination these days). Where do they lead? Are they locked? Is there a security camera monitoring them? Perhaps I have latent criminal tendencies; more likely though it's just the 8-year-old boy that's still lurking deep inside me.
Businesses of course need to keep the back doors of their buildings properly secured if they want to prevent theft or vandalism from occurring. A secure back door can mean either one that's locked or one that has a video camera monitoring it. Or both if you're paranoid -- and businesses have good reason to be paranoid nowadays. That's because backdoors (we'll use the composite word here because we're shifting into tech-mode) seem to be proliferating of late. More and more computing hardware and software seem to be coming with built-in backdoors when you purchase them. These backdoors may have been included at the vendor's initiative or because of some secret requirement of a shadowy government agency. Either way, they can pose a danger to companies because of the intrusion and information leakage they can facilitate.
Espionage is nothing new, of course. Whether it's industrial espionage or nations spying on other nations, espionage has been happening at least since the time of the ancient Greeks (PDF). So it’s no surprise that it's happening today with all the cutthroat competition happening in the global tech industry. Let's take a brief walk through some of what's been happening with backdoors in the last few years so we can gain a picture of the scope of this threat and consider how we can respond to such threats as business owners and technology professionals.
NSA ANT Catalog
In 2013, the German magazine Der Spiegel published an expose article about the discovery of an internal NSA catalog that revealed that secret backdoors already existed in numerous corporate networking devices. The tech companies involved included major players in the industry like Juniper, Cisco, Dell, and many others, and the story was based on NSA documents supposedly obtained by former NSA contractor Edward Snowden. The Wikipedia article on the subject mentions however that there was "nothing in the document that suggests that the companies were complicit," but many enterprise IT managers and directors are still scratching their heads over what this all might really mean for them and the businesses they manage and operate. Have other governments produced similar toolsets? Could they be available on the Dark Web? And do large networking vendors themselves produce similar tools for hacking into competitor's products by inserting backdoors into these products similar to the NSA-developed DEITYBOUNCE tool that installs backdoor software on Dell PowerEdge servers via the motherboard BIOS and RAID controller?
In many ways China has become the manufacturer for the world. While most Chinese tech companies are likely just as honest in their dealings as American and European ones (whatever that means), it should come as no surprise that some Chinese companies occasionally cross the line either accidentally or deliberately. It was still news nevertheless when security firm Kryptowire recently discovered that some models of Android mobile devices manufactured by Huawei had firmware that collected users' personal data without their consent and forwarded it to servers somewhere in China.
A lawyer representing Huawei told The New York Times that the firmware was produced by Adups, a private company that "made a mistake" and that Huawei was in no way spying on U.S. citizens on behalf of the Chinese government. While some tech news outlets reported that the backdoor affected hundreds of thousands of mobile phones, other sites like The Hacker News claimed that the problem may be affecting as many as 700 million users worldwide (and followed this up later with even more bad news).
Regardless of the real scope of the problem, it certainly has brought to the forefront for many IT managers the possible risks of employing hardware manufactured in in China and software developed by Chinese companies. These risks are discussed at length in the following insightful TechTarget article by Joel Snyder.
SCADA stands for Supervisory Control and Data Acquisition, and refers to software used in industrial and military environments for process control, real-time data collection, and controlling equipment and environmental conditions. The potential dangers from hacking SCADA system components is well illustrated in the opening scenes of the movie "BlackHat" directed by Michael Mann. Can SCADA systems have backdoors? This article from SCADAWIZ highlights the recent discovery of a backdoor in industrial network hardware running Rugged Operating System (ROS) manufactured by a subsidiary of Siemens. Like many vendor-introduced backdoors this one may have been created merely for internal testing purposes during development stage and then been forgotten when the final product was released. But backdoors in SCADA products can have devastating consequences if they are exploited as the previously mentioned movie so clearly illustrates.
Having worked with many talented insiders at Microsoft over the years as both author and series editor for a number of books by Microsoft Press and several other publishers, I can honestly say I have tremendous respect for how seriously Microsoft takes security when it comes to their products and services. Nevertheless, mistakes do happen, as Wired reported recently when they noted that a backdoor had been left in their Secure Boot firmware in Windows 8 and later so that developers would be able to use it to test their software against Microsoft's implementation of the Secure Boot standard. Microsoft then "leaked" the keys to this backdoor, and enterprise customers responded with panic as it meant any Windows device protected by Secure Boot could be unlocked by hackers.
This whole debacle is a great example of how software and firmware vendors need to establish clear guidelines in their development processes for ensuring than any and all "workarounds" (backchannels or backdoors) used for internal testing purposes should be clearly identified and removed before products are released to manufacturing. Of course Microsoft immediately tried to calm the waters by saying that the jailbreak technique identified in the security researchers' report "requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections," but who hasn't left their tablet or smartphone unguarded for a few moments at a coffee shop and ended up having it stolen?
How to respond
I could go on and on giving examples of backdoors being found in computing and networking hardware and software, but let's draw to a close here by asking a simple question: What can I do to protect my business against such backdoors? The answer, of course, is that there's no secret pill that will fix or cure all backdoor illnesses. Instead, you need to think about living a healthy security lifestyle to prevent catching such diseases in the first place.
The way to live such a healthy lifestyle is straightforward. First, know the risks. This article is a starting point for raising your awareness of backdoors in information technology. Second, be informed. Subscribe to mailing lists from reputable security watchdogs like US-CERT, and don't just subscribe to their alerts. Set aside a specific block of time each week to read them, even if it's only 15 minutes. Finally, keep things in perspective. There are many other risks your business faces besides backdoors, so periodically meet with experts in your organization or department and list all the risks your company could be subject to and prioritize them, and then deal with them according to how you have ordered their priority.
And don't forget to take some time to do a bit of golfing on the weekend. It'll make a world of difference when you arrive at work on Monday and open your Inbox.
Photo credit: FreeRange Stock