The Unguarded Entrance

In the summer of 2012, the London Guardian revealed that the Actel ProASIC chip used in everything from Boeing 787 flight control systems to military systems to medical devices had an undisclosed back door. This reminds me of how many action and sci-fi movies rely on an insider with knowledge of a secret entrance to get in. The fact that it was a real, IT problem was a revelation.

Why are hidden back doors in information technology so dangerous?

• Hackers are always looking for a way in. If they find a backdoor that is undisclosed, they have a zero day exploit against which there is no solution.
• Vendors lose credibility over security claims if they’ve intentionally built in flaws, when the product was promoted as capable of keeping data secret. There is no information security when any current or prior employee knows of a way to access data on the customer’s system.
• Deliberately build in the back door to the chip, as is the case of the ProASIC3 chip, causes enormous financial burdens on customers who have to replace ASICs on motherboards across a plethora of devices. And the manufacturer could be held liable for these costs.
• The data collected via a back door is a security concern for the customer. I worked with a group that said we don’t want your software tracking IP addresses and installations, to protect our network. The vendor said they’d comply. It was later discovered that the installer was tracking every installation and reporting this back to the vendor. This was both a breach of trust and a security concern for the customer. Using a hidden back door could create security holes for the customer, even if the reasons – in this case, trying to prevent software licensing violations – are reasonable and valid.
• Back doors being used by a vendor create confusion and concern. If your code is changing for unknown reasons, the customer assumes they’ve been hacked and searches for the intruder. If someone came in through a hidden entrance and rearranged the furniture, you might waste time adding locks and a security system to the front door and windows. It feels like a solution, but in reality does nothing but waste time and effort.
• Customers plan their IT and hardware security on the designs they have. If there is an unknown back door, it is an unguarded entrance to their IT systems.

Advertisements