Nicholas Weaver @ LawFare gives us the story of three security backdoors:
Telephone systems also have a backdoor thanks to CALEA (the Communications Assistance to Law Enforcement Act). Although CALEA doesn’t mandate any particular technology, it mandates that switches support wiretapping, so any phone switch sold in the US must include the ability to efficiently tap a large number of calls. And since the US represents such a major market, this means virtually every phone switch sold worldwide contains “lawful intercept” functionality. Yet this capability doesn’t just find use in law enforcement.
In the “Athens Affair” beginning in 2004, some unknown entity compromised Vodafone Greece. This team of skilled attackers surreptitiously enabled the lawful intercept functionality on Vodafone’s switches and then used their backdoor access to wiretap the cellphones of prominent Greek politicians and NGOs, including both the Minister of Defense and the Prime Minister.
We need to assume that, if someone can perform such an attack against Vodafone, others can (or already have) used the same strategy against Verizon or AT&T. So in the CALEA backdoor we have introduced a weakness into our telephone systems which attackers can exploit with significant national security implications[.]
That’s just one of the backdoors.
I’ll note, as a software engineer, that many systems have sections of code that – like junk DNA (it’s a loose analogy, actually, but I like the phrase) – are no longer used nor useful, and no longer updated. They are conceivably vulnerabilities, if someone understands how to manipulate them. Why do they exist? Commercial pressures. While some software engineers conceive of programming as an artistic form, and many more have that temperament, it’s gotta be a rare company that’ll pay to have someone go through code just to clean it up. An artist who conceives of the system as a whole and finds the unused material aesthetically repulsive would do this; an engineer who, perhaps, doesn’t have quite the vision, and certainly not the motivation, will move on to the next project.
I surmise that working on such a backdoor – minus any associated ethical problems – would be a fascinating exercise in positive feedback. Nicholas notes:
We have a difficult enough time building secure systems without backdoors, and the presence of a backdoor must necessarily weaken the security of the system still further. With the dreadful history of backdoors, its little wonder most security professionals believe building backdoors right is practically impossible.
