I remember a when a famous cybersecurity data eraser was discovered to contain a backdoor that was being actively used in the wild, then when Lenovo was blacklisted by the US government when its firmware was discovered to be sending unknown data to China. So, it is no surprise that a current network security tool has been found to contain a maliciously included backdoor. What is surprising though is that the initialization of the backdoor isn’t more advanced.
In the rest of this post let’s consider a notional backdoor in a notional phone platform. Let’s call the notional phone platform the iCone. If an advanced threat (such as a nation state or rogue tech manufacturer) wanted to insert a backdoor into an iCone the actor may add the malicious code to a software update. So far, standard supply chain attack practice. The backdoor may be programmed to only initialize if a device specific code is received (maybe a malicious update maybe a malicious signal from a stingray). Once initialized the backdoor could use an inconspicuous module or agent to covertly move data or request commands. In our iCone the specific module or agent might be some kind of “keyvalueservice”. If this service is naturally used by the iCone to move sensitive data (such as backing-up user passwords and secrets) the extra data will go undetected. Let’s imagine this backdoor grants system/root level access which disables any indicators of camera or microphone activity, permits the ability to tale screenshots, and permits unrestricted access to all applications and data on the device. As the backdoor in this service is only initialized explicitly (manually or through automation) the iCone can be targeted for explicit monitoring of an individual or activated as a wider net for less directed efforts. The more iCones the better the data. This technique might be especially appetizing for mass surveillance, to covertly circumvent encryption in regions where that might be the best way to conduct investigations unimpeded by the legal system, or just to monetize humans’ every datapoint for better ad targeting and tracking. Yes, this is a notional backdoor but it is based on historical backdoors that have been used in the manners indicated. The initialization aspect is the only piece of data that has not been seen in the wild thus far. Large tech-firms have offered back-doors (usually by other names such as ‘compatibility monitoring’, ‘user analytics and monitoring’, or ‘third party sharing for operability [or functionality]’) for quite some time.
Supply chain backdoors are getting more sophisticated and aren’t just targeting businesses (or governments) using standard practices. There needs to be a better way to validate the integrity of manufacturer’s code to prevent continued abuses. If every endpoint (human) is compromised there is no need to compromise the enterprise so I suspect end-device backdoors will be the ‘hot vector’ of the future. Nonsensical post about backdoors and notional backdoors over. . . Ramble, ramble, ramble, grumble, goodnight.
ANTHKOAndrew Kosakowski’s Official Digital Presence