Security has finally found a place in embedded applications as the Internet of Things (IoT) continues to rise in importance. Hacked systems have been the bane of PCs and smartphones, even as developers try to deliver more secure systems. It’s hard enough to prevent attacks like ransomware without having to worry about backdoors.
These days, IoT solutions are hyping end-to-end security. This typically includes secure attestation, authentication, secure communication, and even secure updates. A lot of security layers and protocols are involved, and they’re designed to secure a system and possibly isolate any breaches. Knowing that a breach has occurred is useful information by itself when considering the overall security of a system.
A security backdoor is one that bypasses the normal security features of a system. It usually provides unimpeded access and possibly control of a system. This can be handy for debugging it’s and often why developers include one, but they should never be left in a shipping system. Unfortunately, many systems have been attacked through such a backdoor. Developers often have done very dumb things like simple, hard coded passwords.
Granted, creating a secure backdoor could be possible, but it essentially places two security systems within a product. An attacker simply needs to bypass one of these to gain control. While the front door protection will usually be robust, the same can’t be said for the backdoor, which is also secret. Security through obscurity is generally a bad idea. Anyone who knows anything about security will tell you that backdoors are an extremely bad idea. Those that ignore security experts will be in for very bad surprises.
Unfortunately, Attorney General William Barr is just the latest to call for backdoors. He said, “Don’t give me that crap about security, just put the backdoors in the encryption.” Forcing this through legislation has been suggested as well. It could only end badly.