15

Has there ever been a software program that has been shown to have an in-bad-faith "backdoor" allowing privileged access? When I say "in bad faith" I mean, "that cannot be credibly explained by incompetence."

At SD Times, we received a letter today that included the claim:

Many developers and organizations include flaws quite consciously to allow government intelligence and law enforcement as well as other purported stakeholders (usually copyright and software-patent vigilantes) multiple layers of to access end-user systems. In a community propagandized to believe it is incapable in standard cases of producing functional products without potentially catastrophic defects, "bugs" provide ready deniability and misdirection on the uncomfortable subject of backdoors.

I'm not talking about extra admin accounts or developer-known-but-uncorrected SQL injection or buffer overflow vulnerabilities or logfiles that record sensitive data (all of which are certainly problems and might be maliciously placed); I'm talking about an obscure codepath that is triggered by up-up-down-down-left-right-left-right-b-a-start or somesuch (and which, unlike a videogame cheat code, is unknown to the application's producer).

While I am certain that bad actors exploit vulnerabilities, are there cases where it's certain that the vulnerability was intentionally introduced?

Larry OBrien
  • 15,105
  • 2
  • 70
  • 97
  • A well known story http://scienceblogs.com/goodmath/2007/04/strange_loops_dennis_ritchie_a.php – Dr. belisarius Sep 28 '11 at 00:05
  • @belisarius, just so we are clear: *story* is the key word in that article. – Oddthinking Sep 28 '11 at 01:15
  • @Oddthinking That is a true story. You can find references (by the backdoor makers) all over the web – Dr. belisarius Sep 28 '11 at 10:21
  • **I am about to make this CW because it's a list question.** I will wait 1 hour for objections here--until 14:00 UTC. – Sklivvz Sep 28 '11 at 12:51
  • @belisarius: At the risk of belabouring the point, I want to make clear what I am saying, in case we are misunderstanding each other: Ken Thompson gave a famous speech upon receiving an award titled "[Reflections on Trusting Trust](http://cm.bell-labs.com/who/ken/trust.html)" In the speech, he described inserting a trojan horse in the C compiler and the login command. I claim that was merely an interesting mental exercise, and he never actually carried out these actions (nor intended people to believe he did). If you think I am wrong, let's make it a new Skeptics.SE question. – Oddthinking Sep 28 '11 at 13:14
  • @Sklivvz, I don't think it was originally intended to be a list question. (It can never be a definitive list, so I wonder what the value is.) What if we make my answer CW, and merge in the other answers to make one list, rather than the question? – Oddthinking Sep 28 '11 at 13:16
  • @Odd http://skeptics.stackexchange.com/questions/6386/was-the-c-compiler-trojan-horse-written-by-ken-thompson-ever-distributed – Dr. belisarius Sep 28 '11 at 14:49
  • 2
    I Think this is a bad question for skeptics. It is hard to believe that the op is really skeptical that developers would create ways for them to get into their system. Some are created because we know someone will do something stupid and get locked out and we need a way back in to fix it. Some are created maliciously and some are created by design as part of the program. Not to mention that there are laws requiring backdoors for export of certian technology. This is not just a list question its a tell your favorite story question. – Chad Sep 28 '11 at 17:38
  • As discussed with @Sklivvz, I have tried to make one master (Community Wiki) answer to hold all the examples people feel need to be mentioned. Feel free to add another answer if you have an approach which isn't just listing more instances of detected backdoors. – Oddthinking Sep 29 '11 at 01:58
  • 1
    @Chad, I think it is reasonable for the public to (wrongly) assume that developers have codes of conduct which require work to be audited by others, and to not contain backdoors (even with good intention, to protect against stupidity) that could be used maliciously against them (by developers or others). Further, any "backdoors" (may be the wrong term) that may be made available to authorities under legally-required situations should be disclosed beforehand. We need to protect ourselves from ne'er-do-wells both inside and outside positions of authority. (Continued) – Oddthinking Sep 29 '11 at 02:06
  • The fact that none of these assumptions are true makes it interesting from a skeptical perspective. Agreed, though, that "tell your favourite story" is not what we need. – Oddthinking Sep 29 '11 at 02:06
  • @Chad - That's what the close button is for. – going Sep 29 '11 at 02:48
  • @xiaohouzi79 techincally, it's a link ;-) – Sklivvz Sep 29 '11 at 09:47
  • @Oddthinking - I understand and if it was specific to a program or the link about the Trojan then it would be viable. Maybe my problem is this is an overly broad question. – Chad Sep 29 '11 at 12:40
  • @Chad: I assure you that my question was intended honestly, not as a "tell your favorite." It's not at all a sure thing that "developers would create ways to get into their systems" beyond admin accounts and without disclosing it to their clients. Doing so is clearly unethical, unprofessional, and almost certainly illegal. – Larry OBrien Sep 29 '11 at 18:07
  • @Larry - Creating the back door is not illegal. Using it may or may not be illegal. There are legitimate reasons for back doors. And if you intend to crush a grape to make wine by driving full speed into a group of people infront of the grape it is still vehicular homicide. – Chad Sep 29 '11 at 18:18
  • 1
    "There are legitimate reasons for back doors." That are not disclosed to the clients? I strongly disagree. – Larry OBrien Sep 29 '11 at 19:17
  • For the record: I was wrong (and @belisarius was right) about [whether the Ken Thompson Trojan Horse was ever written](http://skeptics.stackexchange.com/questions/6386/was-the-c-compiler-trojan-horse-written-by-ken-thompson-ever-distributed). – Oddthinking Sep 30 '11 at 01:25
  • @Larry - Yes putting in a back door to allow you access even if the customer locks himself out so that you can rescue them. There are other reasons too. Most of the time you can cover it with a standard terms of service and licence agreement. – Chad Sep 30 '11 at 17:13
  • I'm not aware of any smoking guns, but there is strong circumstantial evidence that various three letter agencies have infiltrated router manufacturers specifically to emplace secret back doors unbeknown to their makers. – Paul Johnson Aug 23 '18 at 11:30
  • There have been cases of deliberate back doors put into software for all kinds of reasons. And EVERY TIME it comes to light the developer of the software in question takes a massive reputational hit. – GordonM Aug 27 '18 at 10:04

2 Answers2

21

Are Lawful Interception Features considered "flaws" or "backdoors"?

Many developers and organizations include flaws quite consciously to allow government intelligence and law enforcement as well as other purported stakeholders (usually copyright and software-patent vigilantes) multiple layers of to access end-user systems.

There is a misclassification here. To describe deliberate law-enforcement features, openly developed to meet legally-imposed requirements, as "flaws" does a disservice to the developers involved.

In the United States, the Communications Assistance for Law Enforcement Act of 1994 legally requires telecommunication carriers, manufacturers of telecommunications transmission or switching equipment and providers of telecommunications support services to co-operate with lawful interception of communications.

Any such requirements can only increase the "surface area" involved for vulnerabilities, but it is cynical to assume that they are necessarily exploited in all cases.

Have there been any deliberate backdoors?

Yes, there have been plenty of instances of deliberate backdoors discovered.

Here are a few examples:

  • Static Detection of Application Backdoors, Chris Wysopal, Chris Eng, Veracode, Inc.

    Borland Interbase 4.0, 5.0, 6.0 was discovered to have a special credential backdoor in 2001 shortly after the software was open sourced. The special credentials, username “politically” and password “correct”, were inserted into the credential table at program startup. The support for user defined functions in the software equated this backdoor access with system access. The backdoor went undetected for seven years.

  • Attempted backdoor into Linux discovered

  • Backdoor(s) in HAL BBS for the Commodore 64 (Caution: self-citing.)

  • GSM Network encryption deliberately easy to break [Ref: 1, 2] All of this is apart from the fact that, once out of air, most telephony networks even work without encryption. See, for example, this report on wiretapping:

    Since 2002, the annual wiretap report has included a curious statistic: the number of times law enforcement encountered encryption on an authorized tap, along with the number of times that this prevented them from getting the evidence they were seeking.

    ...

    But not so fast: the latest wiretap report identifies a total of just six (out of 3194) cases in which encryption was encountered, and that prevented recovery of evidence a grand total of ... (drumroll) ... zero times. Not once. Previous wiretap reports have indicated similarly minuscule numbers.

  • Routers seem to have lots of them, both home routers and enterprise routers. They appear to be a favourite amongst intelligence agencies because a compromised router is a gateway into the traffic on an internal trusted network, which is often not encrypted. The Juniper Firewall back door was particularly sinister because it involved the choice of "Q" value in an encryption scheme promoted by the NSA. In effect Q is a secret key for the entire encryption scheme, so to exploit it you would also need the ability to intercept the encrypted traffic.

Please add any additional examples here

If your answer is merely another example of a backdoor, please add it to this answer rather than hiding other approaches in the noise. This answer has been marked Community Wiki; I am not getting any reputation for it.

Paul Johnson
  • 15,814
  • 7
  • 66
  • 81
Oddthinking
  • 140,378
  • 46
  • 548
  • 638
  • Support service to co-operate w/ lawful interception != backdoor. I don’t see this as a misclassification, and calling it that is very, *very* misleading. A backdoor is a class of security vulnerability. Handing out data (active, not passive) upon court request is *not* a priori a security vulnerability. – Konrad Rudolph Sep 28 '11 at 09:31
  • @Konrad, I *think* we are in agreement. The original quote appears to describe co-operating with the government as a "flaw". I say that is not fair. I think you agree. The original quote then goes on to accuse developers of blaming bugs rather than admitting they have inserted such interfaces; I don't see any evidence of this. The original quote calls such interfaces a "backdoor", which you say isn't the right word, and I say probably isn't the right word depending how one defines it. – Oddthinking Sep 28 '11 at 13:24
  • 2
    In context the “flaw” seems to refer to a backdoor. To be clear: a backdoor *is* a flaw, both for security and for civil rights. Even when co-operating with the law, a software must not give blanket access to some government agency. I realise that the USA is quite messed up with regards to civil rights (sorry, my impression from browsing reddit) but even there this is clearly illegal and anti-constitutional, right? – Konrad Rudolph Sep 28 '11 at 13:30
  • @KonradRudolph IANAL but I don't think the provisions required by the CALEA law are non-constitutional. The idea is that when law enforcement is authorized (according to the normal process) to conduct, say, a wiretap of a cell phone, the phone company must be able to provide that wiretap and can't say "well, the digital system doesn't allow it, sorry". Essentially the technology is not non-constitutional and the requirement for its existence doesn't seem to be problematic. However, clearly the US government HAS violated the constitution with the warrantless tapping. – Mr. Shiny and New 安宇 Sep 28 '11 at 17:42
  • 1
    I actually implemented CALEA for US mobile phone systems. A core concept is the traced list. Authorized parties(e.g. FBI) must submit a list of numbers to the phone operators, together with matching warrants. CALEA does not give access to communications unless they "involve" a party on that traced list. ("involve" because conference calls have complex rules) – MSalters Sep 29 '11 at 13:58
  • Would the NSA installing tapping circuits/software into Cisco routers count? While one may argue the legality of NSA doing this in the US it is certainly illegal in the jurisdictions of some of the users of the routers (users in China, Russia etc.). – slebetman Aug 24 '18 at 10:03
0

The most infamous case was alleged FBI's backdoor in OpenBSD's IPSEC stack. However, it was never proven beyond doubt, that it actually existed.

vartec
  • 26,581
  • 5
  • 97
  • 155
  • 2
    Your link description is incorrect. The title of the article is 'FBI accused of planting backdoor in OpenBSD IPSEC stack'. The article talks about an accusation not of a proof. – Boris Sep 28 '11 at 12:02
  • 2
    Boris is correct, and -although quite a lot of eyes have looked at the code afterwards- nobody found a proof. – johanvdw Sep 28 '11 at 12:38