Do you ever worry that your locksmith may take a copy of your key when they fit a new lock? Or that your locksmith has defined a lock which they know they have a skeleton key for? Or that your locksmith modifies the lock so that they can compromise it?
And so we trust those that create locks to design them so that they cannot be broken easily, and that lock standard agencies around the world to set standards that promote good lock design, and, most of all, that locksmiths can be trusted to fit them without compromising them (and in giving us good advice).
Well, let’s look at software backdoors. Overall it’s not an easy thing to put in a backdoor in a piece of software. Well, let me re-phrase that … “it is not an easy thing to put in a backdoor in a piece of software and for it not to be seen”.
Computer security is a serious business, but you must smile a little when you see the lengths that some intruders will go to in order to compromise systems. Organisations such as the NSA have long been accused of applying backdoors into cryptography software, but the recent Apple login hack shows that there are lots of opportunities for others to get in on the act. The addition of a backdoor in the Apple compiler showcased the opportunity for large-scale compromises.
Overall there are a number of ways that a backdoor can be added to a piece of software:
- Escrow. In encrypted communications, one method is to keep of copy of the encryption key that could be used at some time in the future. Details [here].
- Defining a standard that you know you can crack. The NSA and law enforcement agencies around the world have been accused of helping to define a standard and setting various parameters, and they know they have the methods to crack them.
- Source code addition backdoor. This is the typical way that an intruder would add a backdoor, and where the additional code is added which will perform a task that allows the source code writer back into the system. Normally the code is added by the writer, but then an intruder finds out the backdoor and can exploit it.
- Injected code backdoor. With these, packages such as Metasploit insert some additional code into the application, and which allows it to work the same, but creates a backdoor connection. Normally this is a call-out method, where the program calls-out to the malware writer.
- Compiler backdoor. This is the best method for going undetected, and where the compiler, itself, adds the additional code to every program which uses the compiler. In terms of a mass exploit, the compiler backdoor will have the greatest scope as it will exploit a wide range of applications. The executable will also be signed to verify that it is a valid application.
- Vulnerability and XSS exploit. This involves compromising a system in order to create a backdoor, typically injecting code into a running application which causes the system to open-up a backdoor connection.
The open-up of a network connection will obviously be detected on the system, but code writers have implemented a number of smart ways to cover this up, including passing secret passphrases for passwords, or with port knocking, where network packets are sent to a well-known open port, which then causes another port to open.
A. Defining a standard you know you can crack
A key focus for law enforcement is the cracking of cryptography, especially for tunnels and VPN connections. Devices created by Juniper were found to have a flaw which allows agencies to decrypt VPNs traffic. The company may have also used Dual EC (Elliptic Curve) DRBG (Deterministic Random Bit Generator) for generating the random numbers required to create VPN tunnels. This method, which was promoted by the NSA, has a known weakness and can be cracked.
The possible backdoor in Dual EC DRBG has been known about since 2004, and the team who worked on it had the chance to plug the gap but failed too. It thus allows law enforcement agencies to crack SSL/TLS encrypted traffic which used the method for random number generation. It was thus assumed that no-one would use the method, but, in Juniper’s case, it has been found in some of their devices.
In 2013, Edward Snowden showed NSA memos which indicated that the NSA had been the sole editor of the standard, whereas NIST responded that it did not deliberately weaken any cryptography standard. The following year, NIST recommended that companies stop using it, and withdrew it from its draft guidance on random number generation. In 2013, also, OpenSSL was found to be implementing the method, and which allowed TLS/SSL connections to be decrypted.
The back door in the standard for Elliptic Curve method for Dual_EC_DRBY caused a great deal of suspicion on the definition of NIST’s P curve standards, and that they had selected them so they could have an advantage in breaking the public keys. Most of the industry has moved away from the P standards (such as P-256) and towards Curve25519 (which is shown in the graphic on the right-hand side and which was created by Daniel J Bernstein), and now used by Tor, Signal, What’s App, Facebook, OpenSSH, and many other standards. In 2013, Bruce Scheiner stated that he didn’t trust the values selected:
I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry
I have plotted some of the standard Elliptic Curve parameters [here].
B. Source code additional back door
It has long been the case where code writers have added additional code which allows them back into the code whenever they required. They will often add debug functions which can be remotely enabled, but where the forget to switch-off. This backdoor method works well until the source code is read, and the additional code is revealed. With the rise of Git hub repositories, it can become obvious as to when the backdoor has been added. The following outlines a few backdoors:
A classic backdoor was added to an FTP server (vsftp), and which has an intentional backdoor within the version running on it. The back door is exploited with the username ending with:
and then the server listens on port 6200 and awaits a connection:
root@ubuntu:~# telnet 220.127.116.11 21Trying https://www.linkedin.com/redir/invalid-link-page?url=192%2e168%2e99%2e131...Connected to https://www.linkedin.com/redir/invalid-link-page?url=10%2e200%2e0%2e1.Escape character is '^]'.220 (vsFTPd 2.3.4)user mybackdoor:)331 Please specify the password.pass none ^]telnet> quitConnection closed.telnet 18.104.22.168 6200Trying https://www.linkedin.com/redir/invalid-link-page?url=10%2e200%2e0%2e1...Connected to https://www.linkedin.com/redir/invalid-link-page?url=10%2e200%2e0%2e1.Escape character is '^]'.id;uid=0(root) gid=0(root)
The UnrealRCD IRC daemon runs on port 6667. The version on Metasploitable has a backdoor where the user sends “AB”, and then follows it with a system command on a listening port (see demo above).
Cryptography cracking is often one of the most challenging areas for investigators to crack, so there have been many allegations of companies tampering with source code in order to create backdoors. While these are not necessarily network connections, the software is modified in a way which changes the functionality of the encryption function.
One company — Crypto AG, a Swiss cryptography company who make encryption machines — has been accused of modifying their software in collusion with intelligence agencies from Germany (BND), the UK (GCHQ) and US (NSA). This was highlighted, in 1986, when Ronald Regan announced that the US had intercepted encrypted diplomatic communications between Tripoli and Libyan embassy in East Berlin, related to a bombing in Berlin. In 1992, the Iranian government even arrested Hans Buehler, a salesman for the company, but who was released in 1993 without revealing any flaws in the machines (and after $1 million bail money was paid).
Crypto AG soon after dismissed Hans, and requested he paid back the $1m. Since then Der Spiegel has interviewed former employees and concluded that the machine was indeed rigged. Even after several other investigations, there is still no conclusive proof of the rigging, but some suspect that the relationship with defence agencies goes back to 1954.
Juniper recently announced that there were two backdoors on their devices, and which allowed intruders to gain administrator access and also decrypt the encrypted content. It was the kind of shock that has not been seen since the asleep script was released, and which could crack most Cisco Wi-fi access points which used the LEAP authentication method.
With backdoors in cryptography being a hot topic, Juniper revealed that it had traced “unauthorized” code within its ScreenOS operating system on some of its firewalls, and which allowed an intruder to take complete control of Juniper’s NetScreen firewalls using a hard-wired password. This would allow them to decrypt all the encrypted traffic for VPN connections. There is a patch for this, but intruders can now determine the required password — which has been hard-wired into the code — by examining the ARM code used in the backdoor:
The strange thing is that the password is “<<< .” and looks like standard C++ compiled code. It is a bit like adding:
password = "let a = b + 1"
The following is a sample login:
$ ssh firstname.lastname@example.orgPassword: <<< %s(un='%s') = %u
Analysts have already managed to identify the password in just six hours. Overall the logs would just show that there was a successful login with “system”:
In 2013, Der Spiegel outlined the FEEDTHROUGH method which maintained a backdoor onto Juniper firewalls. This approach was different to the methods outlined in the latest backdoors, as it was a post-compromise.
C. Injected code backdoor
With this packages such as Metasploit insert some additional code into the application, and which allows it to work the same, but creates a backdoor connection. Normally this is a call-out method, where the program calls-out to the malware writer. The following shows the addition of call-back code into the Putty.exe application:
This method is normally detected by virus scanners as it often adds a standard piece of code which can be detected on a system. When downloading standard programs, it is often important to take the hash signature of the application, in order to determine if it had been modified.
D. Vulnerability and XSS exploit
With a vulnerability exploit, the code writer has allowed the exploit to propagate through the system and cause it to open up a backdoor. This typically involves an XSS (Cross-site script), where some code is injected into running software and which propagates through the system to open-up a network connection. Adobe Flash is a major contender here for this type of exploit where some shellcode is fed through the Flash plug-in and onto the system. There are many examples of where Flash has been compromised, in order to feed the code through, as it is typically running with high levels of trust on the system.
E. Compiler injection backdoor
In 1984, Ken Thompson, inventor of Unix, outlined how he could be injected a virus into a compiler. For this, he added the code into the code being compiled, and also into the compiler itself, so that the malware could be sustained in future versions of the compiler. He thus knew how to inject the malicious code into the compiler, but not leave a trace in the source code. As it was compiled into the lowest level of the code, it is almost impossible to detect the added code, as the source code shows no sign of the added code. While 1984 was the year of the release of the Apple Mac, it is Apple who was one of the first to be pinpointed by the methods that Ken outlined in the same year.
A compiler converts high-level code, such as C++ or Pascal, into a machine ready equivalent (machine code). This can either be done to produce a portable executable, such as an EXE in Microsoft Windows. One way to compromise an application is to create a backdoor in the compiler so that a line of code such as:
could be compiled to perform the machine code equivalent of:
which might open-up a network port (9999) which could be connected to. In this way when the app was uploaded onto a site, it would look as it was a valid compile. It thus means that good applications will be infected in the same way as bad apps, and will be signed by a trusted certificate.
WithXcodeGhost the target was Apple iOS, and which replaces Apple’s Xcode (which is used to create iOS and Mac OS apps). Unfortunately, it is rather large to download (over 3GB), so in countries such as China, developers have had to download Xcode from untrusted sources, which had a backdoor added to it. This resulted in over 300 back-doored apps being added to the Apple App Store, including WeChat which is a messaging app used by over 600 million people.
The malware itself is able to show phishing pages which are used to steal user credentials, and it does seem surprising that Apple allowed more than three dozen backdoored apps to be hosted on the App Store, including WeChat, Didi Kuaidi (a similar app to Uber for car-hailing), and NetEase Inc (a Spotify-like music app).
Normally a program is produced and then signed with the private key of the developer, which verifies that it has come from a trusted source (a public key then verifies that the code has come from a trusted source and also that it has not been modified — known as code signing with a strong key). So, in the case of XcodeGhost, valid developers will produce signed apps but where they have a backdoor added in the executable program.
So we now see one of the first examples of a compiler backdoor. Backdoors will not go away, and if anything they will increase, as they are the natural way of someone silently compromising a system. The debate about backdoors in cryptography is now one of the most fundamental of the 21st Century, and it will not go ahead any time soon. With many countries looking to ban anonymous VPN access, the tension between security and privacy is just going to grow larger.