I found that the company I work for is putting a backdoor into mobile phones

Question

I have found out recently that the remote assistant software that we put in a smartphone we sell can be activated by us without user approval.

We are not using this option, and it is probably there by mistake. But the people who are responsible for this system don't see it as a big deal. Because “We are not going to use it”…

Am I wrong for going ballistic over it?

What would you do about it if it was your workplace?

This question was IT Security Question of the Week.
Read the Jun 16, 2012 blog entry for more details or submit your own Question of the Week.

Answer 1

Just because they won't use it, doesn't mean someone else won't find it and use it.

A backdoor is a built-in vulnerability and can be used by anyone. You should explain that doing something like this is very risky for your company. What happens when some malicious attacker finds this backdoor and uses it? This will cost your company a lot of time and money to fix. And what will your company say when people ask why the software contained that backdoor in the first place? The company's reputation might be damaged forever.

The risk is certainly not worth having it in the code.

Answer 2

If you've informed decision-makers and they've decided not to do anything about it, then by definition your company is knowingly shipping a product with a serious security vulnerability. (And, I assume, hiding it from their customers.) This is a very serious matter. What's the worst that a malicious person with access to this backdoor could do? If it's bad enough, I would go to the FBI about it. (Or whoever has jurisdiction over computer security if you're not in the US.)

If your company knows about the problem and doesn't care, then exposing it is the only ethical course of action. And if they attempt to take retaliatory action against you, you may have legal recourses available, depending on the circumstances and the laws where you live. (Talk to a lawyer about that if you think it might apply in your case.)

Answer 3

Please, pardon my cynicism, but this isn't the first and won't be the last backdoor we see in our legitimate, hardly-earned apps and devices. Just to refresh our memory, we can start from the most recent one, the new Amazon's Big Brother Kindle [1][2].

But we have an entire plethora of backdoored software and services, such as PGP Disk Encryption [3][4], ProFTPD [5] or Hushmail [6], to name a few.

And don't forget the OSes: M$ is always ahead with its NSA_KEY [7][8], but also OpenBSD [9] and the Linux kernel [10] can't be considered 100% safe. We also have paid attempts to gain a backdoor access to Skype by NSA [11], that, however, has been assessed as "architecturally secure" [12].

Moving down to firmware, nowadays we are almost acclimatized in having people from our ISP that are able to watch inside our routers (yes, maybe even see our beloved WPA password), but these [13][14][15] can surely be considered as backdoors too!

Finally, a few considerations on hardware and BIOSes [16], and (this is both funny and somehow dramatic) EULAs [17][18], because also lawyers have their backdoors.

Ok, given this preamble, I'll try to answer to the question briefly. No, you're not wrong getting mad for this thing, but you should focus your anger on the correct motivation. You should be angry because you lost a piece of trust towards the company you work for, not for the fact of the backdoor itself (leave this anger to the customers).

And if I were you, I'll just be very cautious. First, I'll make really really sure that what I saw was a backdoor, I mean legally speaking. Second, I'll try in any way to convince the company to remove the backdoor.

You probably signed a NDA [19] with your company so your question here could be already a violation. However I don't know where the NDA ends and your state law begins (it could be even customer fraud), and probably, due to the technicality of the subject only a highly specialized lawyer could help you with this matter. So, if you want to proceed, before doing anything else, even talking to the authorities, you should hire a very skilled lawyer and be prepared to lose a lot of time and money, or even the job.

Answer 4

If they don't see it as a big deal, you're not asking them the right question. The question to motivate action on this isn't "is this right?" but "what happens to us when somebody finds and publishes this?" Whether you're a big or small company, you're looking at serious damage to your reputation and all the bad things that go along with it if someone outside the company discovers this before you fix it.

Fixing this issue isn't just ethical, it's essential for your company's survival. It's far, far better to fix it quietly now than a week after all your users and customers have left you because it was revealed by some online journalist.

Answer 5

You should seriously consider going to some governmental or regulatory authority with this, just to protect yourself.

Imagine this scenario:

1. You inform management about the backdoor. Now they know you know.
2. Evil Hacker ZmEu finds out about the backdoor, and puts something on pastebin.
3. Your management finds out about Evil Hacker ZmEu's pastebin.
4. Your management blames you, and fires you for cause, over your protestations of innocence.

Most security vulnerabilities get discovered multiple times. You won't be the only one to find it, you'll just be the most obvious one to make a scapegoat of.

Answer 6

It's ok, people will still buy the iPhones your company makes - your secret is safe. ;)

If it was my workplace, where I'm employed as a security analyst, I'd accept that my job is to identify and communicate risk; it's up to the business to accept the risk. I can not accept risk personally, so my only real option is to ensure that I've communicated the level of risk in the proper forum to the best of my ability. So, if you are employed at a level where you can accept risk, then it's up to you to decide whether or not this is OK. Based on the post, however, you are not at a level where you can accept risk on behalf of the company. So all you can probably do is communicate the risk in a way that the business area can understand, and then let the business area make an appropriate business decision using all of the information available to them.

The thing you do have control over is accepting the risk to yourself posed by working for a company which makes decisions which you think are bad. Your available means of mitigating that risk are documented at Monster.com and friends. :)

Answer 7

Before the smartphone area it was a standard feature of all mobile phone to have backdoors. The GSM protocol allowed the base station to update the phone software. http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html is a good talk about how crazy the security scheme has been.

As far as I know no one of the companies involved in creating GSM got into any legal trouble about the affair. Government agencies like the NSA liked the fact that they had backdoors. At the moment there are people inside the government that want to mandate backdoors for every communication platform.

I think there a good chance that the backdoor exist because some other entity like the NSA wants it to be there. If people higher up in your company made a deal with the NSA they probably won't tell you when you come them to complain about the backdoor.

For all you know it could be the Mossad that's paying your company to keep the backdoor in the software.

A clear backdoor into a modern smartphone is probably worth 6 figures or more on the black market. An employee could sell it or could have been specifically payed to put it there.

On the other hand if the backdoor really just exists because the higher ups in your company are to ignorant than you might be able to explain to them it it's a serious issue.

Answer 8

You have a professional responsibility and an ethical responsibility to ensure this is addressed, IMO. And you've stepped into a minefield. Protect yourself. Watch your step. Go slow. Think defense-in-depth. I successfully solicited a whistleblower, who has been able to maintain anonymity. The solicitation included advice on maintaining anonymity; take a look.

Check you're not re-blowing the whistle on something already known - like the Carrier IQ stuff. Sending written notification to corporate counsel could go a long way to getting the problem addressed - e.g. via an anonymous email account so you can have 2-way communication. Also: Look at archives of the now-dead Wikileaks:Submissions page I referenced.

Whistleblower.org has good info for you, even though it's government-focused.

Addendum: Have you looked through the source code version control logs to see who put the backdoor in?

Answer 9

Treat it as a security vulnerability you have discovered and report it to to, for example, CVE. Anonymously if you wish.

Answer 10

Your reaction is sound, and on a gut instinct level means that you care about one or more of: your customers' privacy, your company's public image, your codebase's quality, your own skin.

In my workplace, I would be senior enough to know it a security bug (and not there by company intent, or mandate from the government) - and remove it. It sounds like this doesn't apply in your case, though.

If you can trace "we are not going to use it" to "we put it there for our own use, but don't need it" you can probably describe to someone high enough in the organization the dangers it poses to the company when it shows up on bugtraq / gets used for nefarious purposes by some third party, which is likely to happen if your smartphone is popular, common and valuable enough (as a target - which may translate to "used by important enough people") to attack.

If you can trace it to "it's there by government mandate" or similar, you might want to insist on internal documentation to that effect, so you can at least leave it be and know that you've done what you can to protect your company, and save other skilled coworkers of yours from the dilemma you find yourself in, as a matter of good code maintenance practices. (And ponder your options about working in an industry making tools that both serve and sacrifice their owners, if this feels deeply demotivational.)

Answer 11

You have a known security vulnerability, and your company is only one of an infinite number of parties which could exploit it. Any exploit of that hole, by any party, could reasonably result in a liability the scale of Sony's after the root kit fiasco. Their cost in both dollars and reputation soared into the hundreds of millions of dollars, in a directly analogous situation.

Make the case by drawing direct parallels to Sony, with your user base in ratio to Sony's as a gauge to calculate potential liability when this hole is exploited.

Answer 12

It's ok to worry about it, don't worry, your reaction is normal ^^

I would do one of two things:

• I would update the user agreement explaining that this possibility exists, therefore asking for the user's consensus (if the people in charge really don't want to take the backdoor away)
• I would remove the backdoor completely (better option in my opinion)

Also, if it is true that this backdoor is never used, why leave it there?

Answer 13

I would seriously counsel against immediate whistleblowing. Not least because there's a good chance this happens because someone from the CIA/FBI had a little chat with the head of the company who ordered it to happen through trusted management channels, and that's why it happens even though everyone should recognise that it's a shitty excuse.

You are rightfully recognising this as a shitty excuse. The problem is that other people also should have. Somewhere someone with power must have decided that this would happen. The construct that it's "OK because we won't use it" is then perpetuated.

That means that if you whistleblow (and get sacked) and launch a lawsuit, not only a) might you find it very difficult to get another job, b) your lawsuit might not go anywhere because it could turn out (hey, I'm not a lawyer, but it's plausible) that it wouldn't be recognised as "misconduct" by the firm. If I was the federal government I would go to greath lengths to protect people doing my dirty deeds.

On the other hand, if you have a trust fund and want to catapult yourself to 15-minute fame, you can go public about it. Just have an alternative path staked out in "Alternative Computing" or the Free Software Movement. There's no private jet down that route.

What I advise is getting a decent amount of details on it, finding new employment, then anonymously contacting a security profile and saying you want to go public/whistleblow it through them. The first person you contact will probably comply. The company might try to go after you but they SHOULD have no definite proof from any logs or search warrants and it's not "official" in the sense that new employers would be forced to recognise it.

Answer 14

OP: You know what happened in the case of ZTE? Go on pastebin, make a full and comprehensive security advisory. Needless to say, cover your tracks. That's that, if you were unsure to the point that you asked the question here, you can benefit us all by making the advisory.

Answer 15

As mentioned elsewhere what would scare me would be usage of the interception functionality even without any bad intention of its original developers/installers. The so-called "Athens Affair" comes immediately to mind and underlines this concern. For a technically informative and in the same time exciting read you can check:

The Athens Affair: How some extremely smart hackers pulled off the most audacious cell-network break-in ever

Answer 16

It's probably there to allow government agencies to access your cell phone and listen in on whatever you're doing at the time. It's required by law.

See:

• Remotely activated mobile phone microphones (Wikipedia)

• Remotely Eavesdropping on Cell Phone Microphones (Published 2006-12-05)

Answer 17

This was reported earlier this week in China's ZTE Ships Smartphone with Backdoor to MetroPCS, but finally some are seeing it. It seemed to have gone un-noticed by many...

Answer 18

It really depends on the nature of the back door. Is it worse than Carrier IQ?

I know the cell phone carrier can intercept all my voice and data transmissions and turn them over to the government. In fact, the NSA can intercept it all, too. I also expect the carrier and phone manufacture can, if given physical access to the phone, completely read all the data on it without my approval. So if the back door is limited to these kinds of things and you personally cannot use the back door to get into someone else's phone due to some other security constraint, then I would not get too bent out of shape about it. Raise your concerns to your supervisor in an email and save a copy of it on paper at home.

Now if it is the kind of back door a hacker can use to steal passwords saved on the smart phone without being detected, that's time to go full whistleblower if you cannot get them to lock that down. Access to a customer's phone should require specific security authorization within the company combined with full logging so that people who abuse their security privileges can be identified and have those privileges revoked (at the very least).

If it is somewhere in between, well, maybe leak it to a security researcher....

Answer 19

Well what you really should be after is their motives for putting in a backdoor. As the highest voter has said, just because you wont use it does not mean it won't be found. If it were me I'd find out what the motive is behind said backdoor, anonymously alert a major tech publication about said backdoor. Then again this depends on whether you feel a responsibility towards the general public or whether you feel it's up to the company to clean up their own act and let someone else hold them to account for their misdeeds.

Answer 20

Of course the back door didn't appear there without serious forethought. National security agencies are involved, and they paid to have it done, hopefully without anyone noticing. Cellular engineers designed in the capability to turn on a cellular microphone without the owner knowing it (keeping indicator lights off). I expect GPS locations can be broadcast even when an owner has the GPS feature turned off, and pictures can be taken and broadcast without the owner knowing it as well.

Answer 21

Hmm, by posting it here after alerting them I'd say that you should think about actually going public because you kind of already have.

Backdoors are pretty commonplace in emerging technologies as it usually takes legislation a while to catch up. Also, the development communities are not fully converged. For instance the Internet was notoriously unsafe until ISPs had to build in direct access to government bodies via legislation, licensing and exchanges. Only then security became important as the 'right' people had secured all the access they needed.

If it were my workplace I'd STFU... But it might be a bit late for that.

Answer 22

IF you have signed a "non-disclosure agreement" on the type of work and products you are dealing with your company then you shouldn't even be asking this question or posting it here. If not, you can post your company name and the software installed in phones to alert everyone.