Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Backdoors: When Good Intentions Go Bad

Requiring encrypted applications to provide backdoors for law enforcement will weaken security for everyone.

Whenever bad things happen where perpetrators had used encryption, the topic of government access to encrypted data turns into a heated debate. 

The latest example comes on the heels of the horrible terrorist attack near the Palace of Westminster in London, where there was evidence that the perpetrator had used WhatsApp, an encrypted messaging program, possibly to communicate with accomplices. UK Home Secretary Amber Rudd raised the government access issue, saying "… on this situation we need to make sure that our intelligence services have the ability to get into situations like encrypted WhatsApp." 

In the US, this was reminiscent of an earlier high-profile attack in San Bernardino, California, where one of the shooters possessed an iPhone with encrypted data. In the aftermath, FBI Director James Comey lamented, "if the challenges of real-time interception threaten to leave us in the dark, encryption threatens to lead all of us to a very dark place." These leaders share a clear message: the technology community should be designing products that make encrypted communications accessible to the government when necessary.

Legal Yet Vulnerable
What could possibly be wrong with helping law enforcement use legal means to catch terrorists? If technology can hide communications, can't technology be used in a legal and safe way to reveal critical information when people's lives are at stake?

Unfortunately, the answer is that these requests for access to encrypted information creates "backdoors" that can make all citizens vulnerable to attack. A backdoor in security is a way for an entity (like the government) to access encrypted information. Protecting data using encryption involves creating an encryption key, which is the equivalent of the key to the lock on the front door of one's house. The idea of a backdoor is to provide another key so that law enforcement can enter the house if necessary. Just as the backdoor to the house will open for anyone – friend or foe – with the correct key, an encryption backdoor can make users' information accessible for both good and bad purposes.

Here’s why backdoors are such a bad idea:

Bad guys can easily circumvent backdoors. Really good encryption technology is available in the public domain. It can be easily downloaded over the Internet, and it's widely available around the world. If a government were to mandate that an encrypted application have a backdoor, the bad guys would simply choose to use one of the many widely available alternatives without a backdoor. It wouldn't be any easier to decode bad guys' communications than it is now. 

Good guys will be vulnerable. That's because hackers will ultimately breach backdoors. Mandated backdoors will make law-abiding individuals less secure because the potential for hackers to get the keys to these backdoors will compromise everyone's information. These risks are not just theoretical; backdoors have been breached many times. For example:

  • According to an IEEE article, for ten months starting in 2004, 100 senior members of the Greek government (including the Prime Minister) were illegally wiretapped by hackers who breached a mandated backdoor built into the telephone network owned by Vodafone Greece.
  • According to the Washington Post, a list of surveillance targets of the US government being monitored by Google through a backdoor was breached by Chinese hackers, presumably for counter-intelligence purposes. The hackers in this case didn't try to get the database from the government; they got it from a mandated Google backdoor instead. The breach may have enabled the Chinese to learn which of their agents were known to the US.  

Technology's Not the Answer
Can't this problem be solved with more innovative technology or better access procedures? Some of the world's best computer security experts who have been studying the problem for the past two decades don't think so. They published a thought-provoking analysis of the topic in an MIT paper titled, "Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications."   

The experts noted that "the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago." After examining both the technology and policy implications, they conclude "the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law."

Since the invention of encryption decades ago, various proposals have been made to limit the technology so that it's accessible to law enforcement. And each time the proposals have failed for the same reason: government-mandated backdoors lead to a world where law enforcement can't catch any more bad guys, and the good guys are more vulnerable. The same backdoor designed for law enforcement can be and will be exploited by others with sinister motives.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Randy Battat, Founder, President & CEO at PreVeilRandy Battat is founder, president and CEO of PreVeil, the application for end-to-end encrypted email, file sharing and storage for people and organizations that want to protect their data. Before PreVeil, Randy was president ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
anon1926348756
100%
0%
anon1926348756,
User Rank: Author
5/8/2017 | 11:21:38 PM
Where do you draw the line?
If a backdoor is provided to one goverment then others will want it too.  That increases the risk that one or more of those goverments can be hacked and the secret stolen.  Or simply a rouge goverment may chose to use or leak it, which is clearly not without precendent.  As tempting as it is for law enforcemet to demand this it is hard to see where you then draw the line.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...