31

As the Apple v FBI battle unfolds, government backdoors will become a hot topic. As background to that, I have two questions:

  • Are there any known cases where governments have forced tech companies to introduce backdoors into their products? (I'm not talking about accidental security holes that governments have been able to exploit, nor am I talking about companies simply handing over unencrypted data in their posession.)
  • Are there any cases where a government backdoor have been exploited by other actors, or information on how to use it has become publicly available, thereby creating a serious security threat to the users of the product?

I am interested in examples from all around the world, both new and old. Basically what I want to have is examples to use as an efficient rebuttal to the argument "Well, a backdoor only the government knows about couldn't possibly hurt anyone."

Anders
  • 64,406
  • 24
  • 178
  • 215
  • 7
    These things are very hard to prove. Highly suspect case: https://en.wikipedia.org/wiki/RSA_BSAFE –  Feb 18 '16 at 09:39
  • 4
    Big LOL at "Well, a backdoor only the government knows about couldn't possibly hurt anyone." [Government employees lose laptops with sensitive data monthly.](https://www.techdirt.com/articles/20070212/130314.shtml) I am heavily suspect that they would treat this backdoor any differently. Ok, I'm done ranting. – MonkeyZeus Feb 18 '16 at 16:08
  • 1
    I once heard that the government managed to get a backdoor into PGP, but it seems to be a false rumor. Still, if you obtain your copy precompiled, you can't be sure it matches the publicly available source code (which has been thoroughly scrutinized by the encryption community). – Dan Henderson Feb 18 '16 at 16:10
  • Would appreciate some guidance on what makes this question to broad, and how it could be narrowed down. In essence it is two yes or no questions, together with a request for examples. Is it inherently OT to ask for examples, since there could be many? I think Steffen Ullrich answer shows that this question can indeed be consisly answered. – Anders Feb 18 '16 at 17:23

1 Answers1

46
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 3
    +1 for the export ciphers. Absolutely the first thing that came to mind before I even actually read the question. – Iszi Feb 18 '16 at 14:26
  • How does the Greek wiretapping case count as government backdoor? A spy (so it seems) managed to install rogue software because of phone operator's negligence, and possibly corruption. Greek government didn't mandate them to do it, nor did it force the operator to install the rogue code. – Dmitry Grigoryev Feb 18 '16 at 14:43
  • 1
    @DmitryGrigoryev the Greek government mandated that the ability to tap a line existed on the switch. The hacker installed their own illegal tap into the gov mandated backdoor – JRaymond Feb 18 '16 at 14:53
  • 1
    @JRaymond: it was actually more complex. The tapping interface is an international standard because all the governments like to tap some calls. This interface was not needed in Greece but since it was standard in the software it was still in the firmware although disabled. Somebody unknown enabled it and used it for tapping the calls. But in the end somebody used a backdoor which was added for the governments only. – Steffen Ullrich Feb 18 '16 at 15:04
  • @SteffenUllrich I believe a tap is conceptually different from a backdoor. If I break a server and steal the logs, will I be using a "backdoor" created by Debian? – Dmitry Grigoryev Feb 18 '16 at 15:25
  • 1
    @DmitryGrigoryev your analogy is not equivalent. The tap is a backdoor into the phonecall, it just so happens that they also breached a system to get access to the backdoor. – JamesRyan Feb 18 '16 at 15:55
  • 1
    @JamesRyan a backdoor has to be essential to gain access. When you install rogue software on a switch, you get all the access you need. You can just as well implement call routing yourself, the tap function here is merely a convenience which does call routing for you. – Dmitry Grigoryev Feb 18 '16 at 16:00
  • @DmitryGrigoryev: the tap functionality is a government mandated backdoor into a phone call. It is not simply a software feature to enhance the call because it is explicitly designed to be undetectable by the parties of the phone call. – Steffen Ullrich Feb 18 '16 at 17:07
  • @SteffenUllrich I didn't get that. Are you saying the tap functionality is not implemented in software? – Dmitry Grigoryev Feb 18 '16 at 17:17
  • @DmitryGrigoryev: Of course the tap is software. But it is not what I would call simply a software feature. Other backdoors are software too and I would also not call them simply a software feature, because they are only there because the government requested these backdoors. – Steffen Ullrich Feb 18 '16 at 17:21
  • @SteffenUllrich No, a backdoor is something that gains you access where you don't have access to otherwise. I don't see how tapping facility on a system under your control qualifies. `tee` is also software, and it can tap into pipes. Would you call it a backdoor? – Dmitry Grigoryev Feb 18 '16 at 17:31
  • 1
    @DmitryGrigoryev: I agree that a backdoor is something that gains you access where you don't have access to otherwise. Thus a tap is a backdoor into a call because without it the government would not have access to the call. It's not a backdoor into the switch, but a backdoor into the call. – Steffen Ullrich Feb 18 '16 at 17:49