PROMO_airTraffic_1048105658.jpg

Backdoors are for Houses—Not Security

July 25, 2019
Attorney General Barr is only the latest to suggest that a “safe” backdoor should be added to products. That’s a very, very bad idea.

Download this article in PDF format.

Security has finally found a place in embedded applications as the Internet of Things (IoT) continues to rise in importance. Hacked systems have been the bane of PCs and smartphones, even as developers try to deliver more secure systems. It’s hard enough to prevent attacks like ransomware without having to worry about backdoors.

These days, IoT solutions are hyping end-to-end security. This typically includes secure attestation, authentication, secure communication, and even secure updates. A lot of security layers and protocols are involved, and they’re designed to secure a system and possibly isolate any breaches. Knowing that a breach has occurred is useful information by itself when considering the overall security of a system.

A security backdoor is one that bypasses the normal security features of a system. It usually provides unimpeded access and possibly control of a system. This can be handy for debugging it’s and often why developers include one, but they should never be left in a shipping system. Unfortunately, many systems have been attacked through such a backdoor. Developers often have done very dumb things like simple, hard coded passwords.

Granted, creating a secure backdoor could be possible, but it essentially places two security systems within a product. An attacker simply needs to bypass one of these to gain control. While the front door protection will usually be robust, the same can’t be said for the backdoor, which is also secret. Security through obscurity is generally a bad idea.

Anyone who knows anything about security will tell you that backdoors are an extremely bad idea. Those that ignore security experts will be in for very bad surprises.

Unfortunately, Attorney General William Barr is just the latest to call for backdoors. He said, “Don’t give me that crap about security, just put the backdoors in the encryption.” Forcing this through legislation has been suggested as well. It could only end badly.

Good security is built on layers that have been tested and designed to work together. The latest systems are designed from the ground up for security, starting with private encryption keys that never exist outside of the chip. Secure boot is simply the next step of the process. All of this security, hardware, and protocols are designed to prevent specific types of attacks. There are many ways to attack a system, and it only takes one success to cause major headaches.

There are ways to provide hierarchical security within many systems, but that’s by design. Backdoors bypass this design. It will be even worse if a backdoor gets added after the fact.

Another problem with backdoor security is that those who feel secure because of the primary security system have been deluded. The premise for a backdoor is that the “good guys” can do things the “bad guys” will not know about. Unfortunately, that’s often not the case—the backdoor can be used for nefarious reasons regardless of who is controlling the backdoor. Gaining access by compromising a backdoor system or attacking a poorly designed one results in a system that’s not only hacked, but the security layers designed to isolate other attacks are completely bypassed.

The bottom line is that backdoors should not be included in any system, and everyone should understand why. There’s no secret sauce that will make a backdoor safe. Don’t let anyone try to convince you otherwise.

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form. 

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below. 

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.  

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence. 

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!