I found that the company I work for is putting a backdoor into mobile phones

  • I have found out recently that the remote assistant software that we put in a smartphone we sell can be activated by us without user approval.

    We are not using this option, and it is probably there by mistake. But the people who are responsible for this system don't see it as a big deal. Because “We are not going to use it”…

    Am I wrong for going ballistic over it?

    What would you do about it if it was your workplace?

    This question was IT Security Question of the Week.
    Read the Jun 16, 2012 blog entry for more details or submit your own Question of the Week.

    Is there a use case for the software for situations where the legitimate user may not have control of the device? Say, is there 'wipe device' or 'hard-lock device' functionality? I don't imagine someone who _stole_ the device is going to want to accept remote actions that render the device worthless.

    Which carriers use your phone, so I can switch out my provider if necessary?

    Did your company develop the software or are you licensing it from someone else?

    Screenshots or it didn't happen! ;)

    one word **wikileaks**

    The largest ISP in Germany got a lot of bad press coverage during the last month because a backdoor account in their enduser routers was discovered.

    Do you mean Carrier IQ? Or is this something newer and perhaps not yet widely known?

    I call bullshit on "we're not going to use it". You don't put that kind of backdoor in unless you absolutely plan on using it, or giving it to someone else to use. Blow the whistle.

    This sounds like Google's "Do No Evil"

    @Shadur From my (limited) experience, in large companies things like this may happen purely due to the lack of organization. It doesn't make it less dangerous, but it's not necessarily because of an evil intent.

    @anonymousquery, What are the implications of activating the remote assistant? E.g., will it be discoverable by user, does it allow controlling the system or reading private data?

    "What would happen to our reputation if it became public that we had a backdoor on all those phones?" That question will force a patch ...

    ZTE recently has bad luck with a similar problem http://www.theverge.com/2012/5/18/3028207/zte-score-backdoor-vulnerability-confirmed-skate there are other recent examples where a default account and password ( which cannot be disable or modified ) into physical hardware has caused lots of questions of how to protect devices like that ( i.e. stuff for infrastructure ).

    .....don't see it as a big deal. Because “We are not going to use it” - they don't seems to care about there customer. They can get sued once client knows it.

    @AntonStrogonoff Well said. "Never attribute to malice that which is adequately explained by stupidity."

    @FrankFarmer I'm pretty sure that saying was invented by malicious people to make it easier for them to play stupid when they're caught

    Hoping this post and the ZTE news coming in such close proximity means you got your way, grats man :)

    Any chance we could get brand/model of the phone? I would like to make sure its not the phone I'm using. Does it run Android?

    I need a nuclear bomb. I am not going to use it. I just need it.

    @schwiz Probably not. In the event of an internal witch hunt naming names here would go a long way towards deanonymising anonymousquery.

    They may not use it, bit some 3 letter organization will if they have a court order

    Contact the Electronic Frontier Foundation, anonymously if need be. Ask them for help finding a lawyer who will help you establish whether - and if so, how - you can perform a responsible disclosure.

    I wonder what eventually happened with this situation. Though, looking at the profile, the OP never logged in here again after asking the question, so I doubt he'll see my comment :(

  • Just because they won't use it, doesn't mean someone else won't find it and use it.

    A backdoor is a built-in vulnerability and can be used by anyone. You should explain that doing something like this is very risky for your company. What happens when some malicious attacker finds this backdoor and uses it? This will cost your company a lot of time and money to fix. And what will your company say when people ask why the software contained that backdoor in the first place? The company's reputation might be damaged forever.

    The risk is certainly not worth having it in the code.

    +1 All things should be documented and shared with the user. No backdoors, should be allowed. MSFT even went as far as banning harmless easter eggs from all software since it implies that code contains hidden features & functionality. Your company should follow the lead of Trustworthy computing or risk going down a rabbit hole they may not recover from (bad PR, lost sales, etc)

    +1 "But we're not going to use it" is the *worst* excuse for a backdoor. If you're not going to use it, then what's the point? Someone else will, almost guaranteed. At least if you plan to use it for some reason, it has a reason for being and you can weigh the risks involved.

    It's unrealistic to assume that everyone in a large company thinks in the same way, so one person saying "But we're not going to use it" doesn't mean much unless it is backed by explicit policy and repercussions against those who use it. Unlikely to happen if the powers that be are happy to even have it exist.

    @makerofthings7 Just to be clear on your MSFT statement. They didn't intentionally stop it because those chose to. They were court ordered by law to stop it. "to supply certain government agencies with software, Microsoft can't include undocumented features, including Easter eggs".

    @SpoiledTechie.com Thanks for the correction. I'll shift some sentiment of appreciation to the government ... for insisting on doing the right things right

    Software is just like a contract. If you see a clause in a contract that could get you REALLY screwed over you don't sign the contract until they take it out. Them saying "but we're never going to use the clause" is just silly. It only takes one upset employee who knows about it to do mega-damage to your company.

    It's easily possible to write backdoors that can't be used by anybody else.

    The "IT Security Question of the Week" link is broken

  • If you've informed decision-makers and they've decided not to do anything about it, then by definition your company is knowingly shipping a product with a serious security vulnerability. (And, I assume, hiding it from their customers.) This is a very serious matter. What's the worst that a malicious person with access to this backdoor could do? If it's bad enough, I would go to the FBI about it. (Or whoever has jurisdiction over computer security if you're not in the US.)

    If your company knows about the problem and doesn't care, then exposing it is the only ethical course of action. And if they attempt to take retaliatory action against you, you may have legal recourses available, depending on the circumstances and the laws where you live. (Talk to a lawyer about that if you think it might apply in your case.)

    +1 Because I agree with the idea, but I think you will probably lose your job, and you will have to spend the rest of your life harvesting apples because no one else is going to hire you... This is not an easy decision to make.

    @Mason Could you reference the legal provisions that are offered to protect whistle blowers in this type of scenario?

    @Rob: That's interesting. When I looked at it some more, it looks like whistleblower protection laws generally only apply to government employees. I'll edit my answer.

    There's a whole US government website dedicated to whistleblowers, including those who are reporting on breaches of "violations of ... consumer product .. and securities laws." There's likely to be something similar, in most rich countries..

    It is not obvious to me that (1) exposing it is the only ethical course of action; (2) the FBI has jurisdiction or interest; and (3) there is any legal recourses for whistleblowers. What is the difference between an undocumented feature and a poorly documented feature?

    The UK government's website for the UK Whistleblowers act.

  • Please, pardon my cynicism, but this isn't the first and won't be the last backdoor we see in our legitimate, hardly-earned apps and devices. Just to refresh our memory, we can start from the most recent one, the new Amazon's Big Brother Kindle [1][2].

    But we have an entire plethora of backdoored software and services, such as PGP Disk Encryption [3][4], ProFTPD [5] or Hushmail [6], to name a few.

    And don't forget the OSes: M$ is always ahead with its NSA_KEY [7][8], but also OpenBSD [9] and the Linux kernel [10] can't be considered 100% safe. We also have paid attempts to gain a backdoor access to Skype by NSA [11], that, however, has been assessed as "architecturally secure" [12].

    Moving down to firmware, nowadays we are almost acclimatized in having people from our ISP that are able to watch inside our routers (yes, maybe even see our beloved WPA password), but these [13][14][15] can surely be considered as backdoors too!

    Finally, a few considerations on hardware and BIOSes [16], and (this is both funny and somehow dramatic) EULAs [17][18], because also lawyers have their backdoors.

    Ok, given this preamble, I'll try to answer to the question briefly. No, you're not wrong getting mad for this thing, but you should focus your anger on the correct motivation. You should be angry because you lost a piece of trust towards the company you work for, not for the fact of the backdoor itself (leave this anger to the customers).

    And if I were you, I'll just be very cautious. First, I'll make really really sure that what I saw was a backdoor, I mean legally speaking. Second, I'll try in any way to convince the company to remove the backdoor.

    You probably signed a NDA [19] with your company so your question here could be already a violation. However I don't know where the NDA ends and your state law begins (it could be even customer fraud), and probably, due to the technicality of the subject only a highly specialized lawyer could help you with this matter. So, if you want to proceed, before doing anything else, even talking to the authorities, you should hire a very skilled lawyer and be prepared to lose a lot of time and money, or even the job.

    The PGP case does not seem like a backdoor to me.

    The Skype article seems out of place. It was written in 2009 and even the article makes it sound like Skype decline offers to create a backdoor.

    I wasn't saying that Skype _has_ a backdoor, but I was pointing out that the NSA, a government agency, offered money (a lot of money) to have the job done. Is it legal even to ask for such a thing? What happens if you offer to pay someone to break into someone else's telephone line and get caught? This is just to say that the bigger the company, the less likely they are going to pay for their illegal acts.

    Not to mention all the software that offers automatic updates...

    I think your huge number of links is extremely misleading. Reading it over at first, I had the impression you were pointing out all these instances of backdoors. Then, I went back to read the links, and I found a couple instances of genuine backdoors, most of which were not secrets, a hacked server hosting a malicious version of a piece of software for a short period of time, and then a mixture of things which were all *not* backdoors: failed attempts at backdoors, falsely identified non-backdoors, unsubstantiated rumours about backdoors, and theoretical discussions of potential backdoors.

    The linux kernel link from 2003 is hardly damning

    @Jeremy Salwen - I was just pointing out that backdoors and "undesired functionalities" never requested by users and even working against them, has always existed and will exist for a long time. I could also bet that what I found in my half-hour search is just the tip of the iceberg. This is a controversial topic and for my own safety I begun to consider rumors as half-truths when chosing my own hardware and software. If you believe you're perfectly safe, well, good for you.

    Ha - I love the EULAS link ... "PC Pitstop – $1,000 For Free" is definately worth a read.

    +1: The question does seem to use over-linking to improve it's legitimacy. Which looks kinda bad. However, Two points really stand out: * You should be angry because you lost a piece of trust towards the company you work for, not for the fact of the backdoor itself (leave this anger to the customers): Couldn't have said nay better. * I don't know where the NDA ends and your state law begins [...]: It's always nice to remember that no signed contract can violate the country/state law in wich it is signed. IANAL, but already heard this from one.

  • If they don't see it as a big deal, you're not asking them the right question. The question to motivate action on this isn't "is this right?" but "what happens to us when somebody finds and publishes this?" Whether you're a big or small company, you're looking at serious damage to your reputation and all the bad things that go along with it if someone outside the company discovers this before you fix it.

    Fixing this issue isn't just ethical, it's essential for your company's survival. It's far, far better to fix it quietly now than a week after all your users and customers have left you because it was revealed by some online journalist.

    I totally agree. They may not understand the moral/ethical arguments, but if you force them to follow the money trail, you'll get their attention.

    +1. And if they refuse, mind your own business. I am old enough to know that morality means nothing. They are your friends. They pay you. You are responsible to them, not society, unless your ass can get fried.

    @JimThio: he could be sued and possibly face criminal charges if the backdoor is used, even if (perhaps especially?) if it's not his company doing it. And morality exists, no matter your age -- it just doesn't guarantee you a happy ending.

    I would be very careful in how I'd present the "what happens to us when somebody finds and publishes this?" issue, not to make it sound like a direct threat. The decision makers behind all this are obviously already arrogant enough (if they can brush aside with such issues), and reaching a belief that any disagreement with them is a direct threat might be only a hint of a doubt away.

  • You should seriously consider going to some governmental or regulatory authority with this, just to protect yourself.

    Imagine this scenario:

    1. You inform management about the backdoor. Now they know you know.
    2. Evil Hacker ZmEu finds out about the backdoor, and puts something on pastebin.
    3. Your management finds out about Evil Hacker ZmEu's pastebin.
    4. Your management blames you, and fires you for cause, over your protestations of innocence.

    Most security vulnerabilities get discovered multiple times. You won't be the only one to find it, you'll just be the most obvious one to make a scapegoat of.

    It can get even worse, he can be sued for the backdoor as one of the persons involved in the process (he knew about it but continued to be involved)

    @lechlukasz Yeah, he should at least quit ASAP. Later he might well be the FBI's star witness over whatever the heck this is.

    I think it is very unlikely that he would be sued and held culpable on this basis. For those claiming otherwise, I challenge you to identify the basis of action (e.g., the statute or tort) and justify your opinion. Right now, these claims just sound like "Internet lawyering" (uninformed guesses and speculation from folks who are not legal professionals).

    Dear D.W.: Have you ever been accused of something by management? It's not a legal process, you don't have representation, and usually no appeals exist. We're talking scapegoating here, not Justice. Also, Courts, not "legal professionals" determine innocence, guilt and the validity of basis of action. You're just trying to prop up the authority of legal professionals.

    If ZmEu just "puts something on pastebin", this is certainly not the most evil a hacker can be.

    What if your company doesn't want to share with you the real reason of that backdoor? Just for a moment it pops in my mind: "government". If the government is behind that, going to some governmental authority may not solve the problem (all depends in which country are you).

  • It's ok, people will still buy the iPhones your company makes - your secret is safe. ;)

    If it was my workplace, where I'm employed as a security analyst, I'd accept that my job is to identify and communicate risk; it's up to the business to accept the risk. I can not accept risk personally, so my only real option is to ensure that I've communicated the level of risk in the proper forum to the best of my ability. So, if you are employed at a level where you can accept risk, then it's up to you to decide whether or not this is OK. Based on the post, however, you are not at a level where you can accept risk on behalf of the company. So all you can probably do is communicate the risk in a way that the business area can understand, and then let the business area make an appropriate business decision using all of the information available to them.

    The thing you do have control over is accepting the risk to yourself posed by working for a company which makes decisions which you think are bad. Your available means of mitigating that risk are documented at Monster.com and friends. :)

    +1 "available means of mitigating that risk"

  • Before the smartphone area it was a standard feature of all mobile phone to have backdoors. The GSM protocol allowed the base station to update the phone software. http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html is a good talk about how crazy the security scheme has been.

    As far as I know no one of the companies involved in creating GSM got into any legal trouble about the affair. Government agencies like the NSA liked the fact that they had backdoors. At the moment there are people inside the government that want to mandate backdoors for every communication platform.

    I think there a good chance that the backdoor exist because some other entity like the NSA wants it to be there. If people higher up in your company made a deal with the NSA they probably won't tell you when you come them to complain about the backdoor.

    For all you know it could be the Mossad that's paying your company to keep the backdoor in the software.

    A clear backdoor into a modern smartphone is probably worth 6 figures or more on the black market. An employee could sell it or could have been specifically payed to put it there.

    On the other hand if the backdoor really just exists because the higher ups in your company are to ignorant than you might be able to explain to them it it's a serious issue.

  • You have a professional responsibility and an ethical responsibility to ensure this is addressed, IMO. And you've stepped into a minefield. Protect yourself. Watch your step. Go slow. Think defense-in-depth. I successfully solicited a whistleblower, who has been able to maintain anonymity. The solicitation included advice on maintaining anonymity; take a look.

    Check you're not re-blowing the whistle on something already known - like the Carrier IQ stuff.

    Sending written notification to corporate counsel could go a long way to getting the problem addressed - e.g. via an anonymous email account so you can have 2-way communication.

    Also: Look at archives of the now-dead Wikileaks:Submissions page I referenced.

    Whistleblower.org has good info for you, even though it's government-focused.

    Addendum: Have you looked through the source code version control logs to see who put the backdoor in?

    The addendum alone is a +1

  • Treat it as a security vulnerability you have discovered and report it to to, for example, CVE. Anonymously if you wish.

  • Your reaction is sound, and on a gut instinct level means that you care about one or more of: your customers' privacy, your company's public image, your codebase's quality, your own skin.

    In my workplace, I would be senior enough to know it a security bug (and not there by company intent, or mandate from the government) - and remove it. It sounds like this doesn't apply in your case, though.

    If you can trace "we are not going to use it" to "we put it there for our own use, but don't need it" you can probably describe to someone high enough in the organization the dangers it poses to the company when it shows up on bugtraq / gets used for nefarious purposes by some third party, which is likely to happen if your smartphone is popular, common and valuable enough (as a target - which may translate to "used by important enough people") to attack.

    If you can trace it to "it's there by government mandate" or similar, you might want to insist on internal documentation to that effect, so you can at least leave it be and know that you've done what you can to protect your company, and save other skilled coworkers of yours from the dilemma you find yourself in, as a matter of good code maintenance practices. (And ponder your options about working in an industry making tools that both serve and sacrifice their owners, if this feels deeply demotivational.)

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM