Built-in or proprietary backdoors are put in place by the hardware and software makers themselves. Unlike backdoor malware, built-in backdoors aren't necessarily conceived with some criminal purpose in mind. More often than not, built-in backdoors exist as artifacts of the software creation process.
Software developers create these backdoor accounts so they can quickly move in and out of applications as they're being coded, test their applications, and fix software bugs (i.e. mistakes) without having to create a "real" account. These backdoors aren't supposed to ship with the final software released to the public, but sometimes they do. It's not the end of the world, but there's always the chance a proprietary backdoor will fall into the hands of cybercriminals.
While the majority of built-in backdoors that we know about fall into the former category (i.e. the "whoops, we didn't mean to put that there" category) members of the Five Eyes intelligence sharing pact (the US, UK, Canada, Australia, and New Zealand) have asked Apple, Facebook, and Google to install backdoors in their technology to aid in evidence gathering during criminal investigations. Though all three companies have declined, all three do provide downstream data to the extent required by law.
The Five Eyes nations have stressed that these backdoors are in the best interest of global security, but there's a lot of potential for abuse. CBS News found dozens of police officers all over the country used currently available criminal databases to help themselves and their friends harass their exes, creep on women, and harass journalists who took umbrage with their harassing and creeping.
That being said, what if government agencies decided they weren't going to take no for an answer?
This brings us to the supply chain backdoor. As the name suggests, a supply chain backdoor is inserted surreptitiously into the software or hardware at some point in the supply chain. This could happen as raw materials are shipped from supplier to manufacturer or as the finished product makes its way from manufacturer to consumer.
For example, a government agency could intercept completed routers, servers and miscellaneous networking gear on its way to a customer, then install a backdoor into the firmware. And, by the way, the US National Security Agency (NSA) actually did that, as revealed in the 2013 Edward Snowden global surveillance disclosures.
Supply chain infiltrations could also happen in software. Take open source code, for example. Open source code libraries are free repositories of code, applications, and development tools that any organization can dip into instead of coding everything from scratch. Sounds great, right? Everyone working together for the greater good, sharing the fruits of their labor with each other. For the most part, it is great. Any contribution to the source code is up for scrutiny, but there have been instances where malicious code has made its way to the end user.
To that point, in July of 2018 cryptomining malware was found inside of an app (or "snap," as they call it in the world of Linux) for Ubuntu and other Linux-based operating systems. Canonical, the developers of Ubuntu admitted, "It's impossible for a large-scale repository to only accept software after every individual file has been reviewed in detail."
Software developers create these backdoor accounts so they can quickly move in and out of applications as they're being coded, test their applications, and fix software bugs (i.e. mistakes) without having to create a "real" account. These backdoors aren't supposed to ship with the final software released to the public, but sometimes they do. It's not the end of the world, but there's always the chance a proprietary backdoor will fall into the hands of cybercriminals.
While the majority of built-in backdoors that we know about fall into the former category (i.e. the "whoops, we didn't mean to put that there" category) members of the Five Eyes intelligence sharing pact (the US, UK, Canada, Australia, and New Zealand) have asked Apple, Facebook, and Google to install backdoors in their technology to aid in evidence gathering during criminal investigations. Though all three companies have declined, all three do provide downstream data to the extent required by law.
The Five Eyes nations have stressed that these backdoors are in the best interest of global security, but there's a lot of potential for abuse. CBS News found dozens of police officers all over the country used currently available criminal databases to help themselves and their friends harass their exes, creep on women, and harass journalists who took umbrage with their harassing and creeping.
That being said, what if government agencies decided they weren't going to take no for an answer?
This brings us to the supply chain backdoor. As the name suggests, a supply chain backdoor is inserted surreptitiously into the software or hardware at some point in the supply chain. This could happen as raw materials are shipped from supplier to manufacturer or as the finished product makes its way from manufacturer to consumer.
For example, a government agency could intercept completed routers, servers and miscellaneous networking gear on its way to a customer, then install a backdoor into the firmware. And, by the way, the US National Security Agency (NSA) actually did that, as revealed in the 2013 Edward Snowden global surveillance disclosures.
Supply chain infiltrations could also happen in software. Take open source code, for example. Open source code libraries are free repositories of code, applications, and development tools that any organization can dip into instead of coding everything from scratch. Sounds great, right? Everyone working together for the greater good, sharing the fruits of their labor with each other. For the most part, it is great. Any contribution to the source code is up for scrutiny, but there have been instances where malicious code has made its way to the end user.
To that point, in July of 2018 cryptomining malware was found inside of an app (or "snap," as they call it in the world of Linux) for Ubuntu and other Linux-based operating systems. Canonical, the developers of Ubuntu admitted, "It's impossible for a large-scale repository to only accept software after every individual file has been reviewed in detail."