Gaining Access to Backdoors

Compliance Challenges and Unrealistic Budgets
March 10, 2020
Bounty Programs
March 10, 2020

Gaining Access to Backdoors

While they sound malicious, backdoors aren’t necessarily bad.

While they sound malicious, backdoors—purposely programmed entry points to access the inner workings of an app, operating system, device, or network, meant for internal usage or in cases of extreme extenuating circumstances—aren’t necessarily bad.

Often, developers intentionally install them into firmware so that manufacturers can safely upgrade our devices and operating systems. But backdoors can also be used surreptitiously to access everything from our webcams to our personal data.

Backdoors have been a recurring issue for Apple, which has had a history of disagreeing with the U.S. Department of Justice over unlocking iPhones.

In 2019, after a deadly shooting involving Mohammed Saeed Alshamrani at the Naval Air Station in Pensacola, Florida, U.S. Attorney General William Barr asked Apple to help unlock two iPhones that were used by the gunman. Apple refused, and the government pressed further—but ultimately, the FBI already had the tools necessary to break into the phones. The incident was reminiscent of another shooting that pitted the FBI and Apple against each other. In the wake of the deadly San Bernardino attack in December 2015, the FBI and Apple found themselves debating so-called “backdoors” in public. The FBI demanded that Apple unlock the assailant’s phone, and Apple refused, arguing that creating a software update to allow a backdoor would endanger the privacy of all iPhone users.

It’s a debate that was never settled—and we’ll likely see more cases pitting government agencies against big tech companies in the years to come. Given the rise of zero-day exploits, we should question whether backdoors are the best way forward.

Government officials worldwide have been advocating for a set of “golden keys,” which would allow law enforcement to bypass digital security measures using backdoors. But even without public agreement, some agencies may find their way into our machines. In 2013, the U.S. National Security Agency made a deal with security company RSA to include a flawed algorithm in their product, effectively giving the NSA a backdoor into various systems.

The challenge is that the simple act of creating a backdoor would leave ordinary people vulnerable to everyday attacks by a wide swath of malicious actors.