Revelations about NSA spying are old news and barely raise eyebrows now that the initial fervor has come and gone. In the information era, people seem to accept that information online isn't as private as it seems — but that complacency is a risky lackadaisy. Backdoor hacking built for justice can be exploited by cybercriminals. Just because some basic spying has been deemed innocuous doesn't mean all monitoring activities are created equal. And with the recent news about alleged backdoors inserted into widely distributed software, it's time to take a look at the reality of this very real means of software manipulation.
The presence of so-called backdoors in various operating systems and applications is widely debated. Some people claim that's simply a paranoid conspiracy theory, while others, as evidenced in this article in The Intercept, assert declassified documents provide evidence that security researchers claim to have "created a modified version of Apple's proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool." This is where the concerns begin.
No longer is this a question of paranoia or nanny-state tyranny — it's now a too-real acknowledgment of a largely unaddressed hacking methodology. The article goes on to explain, "The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could 'force all iOS applications to send embedded data to a listening post.'"
The logistical question of how to push the modified version of Xcode to development shops is a real one, but it's also naïve. To lean on a distribution issue as the last line of defense against a style of attack with devastating consequences is wildly irresponsible. Instead, it's important to reconsider the implicit trust of not only completed applications, but also the software used to develop them. It may sound like a broken record, but the refrain "trust no one" is apt in modern software security. Trust must be earned every single time, as even the most secure developer can, theoretically, fall victim to a modified development platform that builds invisible vulnerabilities into its products.
Part of the report on government programs plainly states the reality that "Apple and other tech giants are loudly resisting pressure from senior US and UK government officials to weaken the security of their products." Again, this is not really a government issue: It's a question of application security. A wall is not nearly as safe with a door in it, even if the police are the only ones with keys. Doors are easier to break through or bypass than solid walls. And hackers are adept at picking locks and creating skeleton keys. Products with special security access for government agencies are easier to defeat than those without backdoors.
Making provisions for security agencies also opens the door to backdoor hacking. When considering responsible software development, it's imperative to consider the relative benefits of government cooperation and weakened defenses. And whether these backdoors are built in by agencies that mean well or by malicious hackers, they will ultimately be exploited by hackers. The reality is that if there's a way into something protected by a wall, a (cyber)criminal will want to know what's inside.
The latest report issued about backdoor searches by the CIA, FBI and NSA stated a relatively tiny number of Americans were subject to these warrantless searches. Though it only takes one person to perpetrate damaging crimes, it is also true that the threat of one person should not outweigh the massive cybersecurity threat posed by building in vulnerabilities under the guise of national security.
Backdoors pave the way for malicious hackers to hack data on virtually everything and from virtually everyone, including the very government agencies that claim they are leaning on these special access points to consumer-facing software. You've heard about the potential damages inflicted by cybercrimes — now imagine the potential devastation of hackers gaining access to every backdoor-equipped device. The trade-off does not seem reasonable.
The real takeaway here is not to panic about what data the government is accessing, but to educate yourself and prepare for the reality that at some point, some hacking organization will develop a backdoor-hacking technique that grants them access to a staggering array of applications and data. Two-step authentication processes can go a long way toward preventing backdoor entry by keylogging, since getting through one door does not guarantee getting through the second.
But looking beyond defense by brute strength, it's important to consider smart development techniques for an increasingly crazy world. Though malicious hackers or overzealous government organizations might be able to push covertly flawed versions of application development tools, they cannot trick comprehensive application security into skipping critical steps in the penetration testing and source code evaluation processes. If backdoors are built into obscure lines of code, then they can easily be overlooked in the development process. And, as you know, the testing burden is falling on software users instead of developers more than ever before.
To maintain a safe enterprise, it is critical to think differently about all potential vulnerabilities. The news about government agencies should not inspire paranoid hysteria, but it should open a dialogue about backdoor hacking that goes beyond its intended purpose.
Whether backdoors are ever explicitly or implicitly permitted is irrelevant. What is clear is that they are a viable way for malicious hackers to gain access to critical information. The good news is the government accidentally made the public aware of this threat before it became the latest rampant problem in AppSec. Software developers and consumers alike face an ever-growing list of threats. The only way to mitigate concerns about threats becoming catastrophic is to keep an open dialogue and vigilant application security across industries.
For more information on how to prepare for a vulnerability disclosure, check out this whitepaper.
Photo Source: Flickr