DOC RABE Media - Fotolia

Tip

Detecting backdoors: The Apple backdoor that never was?

The debate over the purported Apple backdoor leaves enterprises asking, "When is a backdoor not a backdoor?" Application security expert Michael Cobb explains the difference.

One of my favorite jokes when I was little was "When is a door not a door?" Answer: "When it's ajar!"

Well, reports last summer that Apple iOS devices contain backdoors that leak personal user data has security experts and software vendors today debating "When is a backdoor not a backdoor?" Vendors claim the answer is "when it's for diagnostic purposes" (as in the Apple backdoor) or "so certain functions can run correctly." But is it not still a backdoor, technically speaking? And what are the challenges in detecting backdoors?

In this tip, I'm going to take a look at what exactly a backdoor is, whether there's a valid distinction between "good" and "bad" backdoors, and explain what enterprises can do to detect and prevent potential backdoor threats.

What is a backdoor?

A backdoor is a hidden or undocumented method of bypassing normal authentication and security controls to gain access to a device. Backdoors can exist in hardware, operating systems, applications, software libraries, algorithms and, of course, malware. Many experts classify the Heartbleed vulnerability and the Apple "gotofail" vulnerability as backdoors. Technically, they are correct, but these backdoors were created unintentionally, so to narrow the scope I am going to exclude security vulnerabilities of this type.

Good vs. bad backdoors

A "bad" backdoor is characterized by its creator's intention to remain undetected while using it to gain unauthorized access. For example, the Mydoom worm spreads via an email attachment which, if opened, creates a backdoor on port 3127 to allow remote control of the infected PC. Often a backdoor is a key component in multi-stage malware which allows the attacker to install additional features such as keystroke logging, screenshot capture or file extraction.

A "good" backdoor is used for benign purposes but tends to be undocumented, and although access may be authorized, it can be done without the device owner's active consent or knowledge. An example of a good backdoor would be a hardcoded username and password written into a software program that allows programmers to remotely troubleshoot problems that users of the program may encounter. Programmers often create backdoors intended solely for diagnostics and debugging during the development phase, but can forget to remove them in the released version. The problem, though, is that if a hacker discovers these undocumented features, they too can remotely access the device and possibly take control of the entire system. This is why all types of backdoor are a potential security risk.

A 'good' backdoor is used for benign purposes but tends to be undocumented, and although access may be authorized, it can be done without the device owner's active consent or knowledge.

There have been various reports over the past year of backdoors discovered in legitimate products, and given the heightened concerns over government snooping, security teams need to monitor security forums and newsfeeds to stay abreast of what information these particular backdoors may put at risk. For example, research by forensic expert Jonathan Zdziarski found that iOS has various undocumented functions, one of which allows unauthorized access to anyone who has access to a computer or other device that has been paired with the targeted device.

Apple responded to the services identified by Zdziarski as "diagnostic capabilities to help enterprise IT departments, developers and AppleCare troubleshoot issues." These "good" backdoors are still a security risk, though; they are active even when the device isn't in developer mode, which would be the expected configuration. If an attacker can hack into a computer that has been paired with the victim's iPhone or iPad, the pairing records can be retrieved and used to compromise the device even though the attacker doesn't have physical access to it. Another concern is that the data accessible to some of these undocumented services includes personal data that is far more than a diagnostics tool could ever justify. Law enforcement agencies can request user data from Apple with a probable cause warrant signed by a judge, but these backdoors create a situation where Apple or others could bypass this process to access a user's data.

Defending against backdoors

To mitigate this particular iOS threat, enterprises should use a mobile device management tool to restrict a device's pairings and delete all existing pairing records; an open source tool is available from GitHub that removes the pairing records from iOS devices. This approach is not likely to work that well with employee-owned iOS devices though, so enterprises will have to rely heavily on security awareness training to keep enterprise data secure, or even ban iOS devices if the risk is deemed too high.

To protect the enterprise from other potential backdoors, all open source code and code written by in-house teams or contract developers should be checked by the security team for possible backdoors. This task may need to be outsourced to a specialized company as backdoor code can be obfuscated and subtle. For example, an attempt to plant a backdoor in the Linux kernel in November 2003 involved changes to just two lines of code, but would have given the hacker root access and complete control of any machine running Linux.

New devices, particularly those that just came on the market or are running new versions of an operating system, need to be risk assessed, as do the applications they run. Enterprises must monitor the network traffic they generate using a tool such as Wireshark to ensure that sensitive data is not being leaked in any way, and to verify that other background services or activities aren't breaking security policy.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).

Next Steps

Get help locking the backdoor and reducing unauthorized system access.

Does the combo of TPM and Windows 8 create a backdoor? Learn more.

Do Wi-Fi routers pose backdoor threats? Find out here.

Dig Deeper on Network security