Here's a look back at some of the most (in)famous backdoors, both real and fictional since the dawn of computers.
One could argue backdoors entered the public consciousness in the 1983 science fiction film WarGames, starring Matthew Broderick (in what feels like a test run for Ferris Bueller). Broderick as mischievous teenage hacker David Lightman uses a built-in backdoor to gain access to a military supercomputer designed to run nuclear war simulations. Unbeknownst to Lightman, the schizophrenic computer can't tell reality from simulation. And also some genius decided to give the computer access to the entire United States nuclear arsenal. Hilarity ensues as the computer threatens to blow up the entire world.
In 1993 the NSA developed an encryption chip with a built-in backdoor for use in computers and phones. Supposedly, the chip would keep sensitive communications secure while allowing law enforcement and government agencies to decrypt and listen in on voice and data transmissions when warranted. Hardware backdoors have big advantages over the software kind. Namely, they are harder to remove—you have to rip the hardware out or re-flash the firmware to do so. The chip, however, was derailed over privacy concerns before seeing any kind of adoption.
In 2005 Sony BMG got into the business of backdoors when they shipped millions of music CDs with a harmful copy protection rootkit. Little did you know, while rocking out to the latest edition of Now That's What I Call Music! your CD included a rootkit, which would install itself automatically once inserted into your computer.
Designed to monitor your listening habits, the Sony BMG rootkit would also stop you from burning CDs and left a gaping vulnerability in your computer that cybercriminals could take advantage of. Sony BMG paid out millions to settle lawsuits related to the rootkit and recalled even more millions of CDs.
In 2014 several Netgear and Linksys routers were found to have built-in backdoors. SerComm, the third-party manufacturer that put the routers together, denied putting the backdoors in their hardware on purpose. But when the patch SerComm released ended up hiding the backdoor instead of fixing it, it became clear the company was up to no good. Exactly what SerComm was trying to accomplish with the backdoor remains unclear.
That same year software developers working on a spinoff of Google's Android operating system (called Replicant) discovered a backdoor on Samsung mobile devices, including Samsung's Galaxy series of phones. The backdoor allegedly allowed Samsung or anyone else who knew about it remote access to all of the files stored on affected devices. In response to the discovery, Samsung referred to the backdoor as a "feature" that posed "no security risk."
The other famous phone maker, Apple, refuses to include backdoors in its products, despite repeated requests from the FBI and US Department of Justice to do so. Pressure mounted following the 2015 San Bernardino terrorist attacks in which the FBI recovered an iPhone owned by one of the shooters. Instead of compromising the security of their iOS devices, Apple doubled down on privacy and made their iPhones and iPads even harder to crack. The FBI eventually withdrew their request when they were able to hack the older, less secure iPhone with the help of a mysterious third party.
Plugins containing malicious hidden code for WordPress, Joomla, Drupal and other content management systems are an ongoing problem. In 2017 security researchers uncovered an SEO scam that affected more than 300,000 WordPress websites. The scam centered around a WordPress CAPTCHA plugin called Simply WordPress. Once installed, Simply WordPress opened up a backdoor, allowing admin access to the affected websites. From there, the hacker responsible embedded hidden links to his sketchy payday loan website (other websites linking back to your website is great for SEO).
2017 also bore witness to the destructive NotPetya ransomware. The apparent patient zero in this case was a backdoor Trojan disguised as a software update for a Ukrainian accounting app called MeDoc. When questioned, MeDoc denied being the source for NotPetya. The real question—why would someone choose a wildly suspect Ukrainian accounting app called MeDoc?
In a 2018 news story that sounds like the setup for a straight-to-video, B-movie thriller, Bloomberg Businessweek reported state sponsored Chinese spies had infiltrated server manufacturer Supermicro. The spies allegedly installed spy chips with hardware backdoors on server components destined for dozens of American tech companies and US government organizations—most notably Amazon, Apple, and the CIA.
Once installed in a data center, the spy chips were said to communicate back with Chinese command and control (C&C) servers, giving Chinese operatives unrestricted access to data on the network. Amazon, Apple, and various US government officials have all refuted the claims made in the Bloomberg story. Supermicro, in their defense, called the story "virtually impossible," and no other news organization has picked it up.
Finally, as an example of a situation where a company wishes they had a backdoor, Canadian cryptocurrency exchange QuadrigaCX made news in early 2019 when the company founder died abruptly while vacationing in India, taking the password to everything with him. QuadrigaCX claims all $190 million in client cryptocurrency holdings are irretrievably locked away in "cold storage," where they will sit for decades and eventually be worth zillions of dollars—or nothing, depending on how cryptocurrency goes.
One could argue backdoors entered the public consciousness in the 1983 science fiction film WarGames, starring Matthew Broderick (in what feels like a test run for Ferris Bueller). Broderick as mischievous teenage hacker David Lightman uses a built-in backdoor to gain access to a military supercomputer designed to run nuclear war simulations. Unbeknownst to Lightman, the schizophrenic computer can't tell reality from simulation. And also some genius decided to give the computer access to the entire United States nuclear arsenal. Hilarity ensues as the computer threatens to blow up the entire world.
In 1993 the NSA developed an encryption chip with a built-in backdoor for use in computers and phones. Supposedly, the chip would keep sensitive communications secure while allowing law enforcement and government agencies to decrypt and listen in on voice and data transmissions when warranted. Hardware backdoors have big advantages over the software kind. Namely, they are harder to remove—you have to rip the hardware out or re-flash the firmware to do so. The chip, however, was derailed over privacy concerns before seeing any kind of adoption.
In 2005 Sony BMG got into the business of backdoors when they shipped millions of music CDs with a harmful copy protection rootkit. Little did you know, while rocking out to the latest edition of Now That's What I Call Music! your CD included a rootkit, which would install itself automatically once inserted into your computer.
Designed to monitor your listening habits, the Sony BMG rootkit would also stop you from burning CDs and left a gaping vulnerability in your computer that cybercriminals could take advantage of. Sony BMG paid out millions to settle lawsuits related to the rootkit and recalled even more millions of CDs.
In 2014 several Netgear and Linksys routers were found to have built-in backdoors. SerComm, the third-party manufacturer that put the routers together, denied putting the backdoors in their hardware on purpose. But when the patch SerComm released ended up hiding the backdoor instead of fixing it, it became clear the company was up to no good. Exactly what SerComm was trying to accomplish with the backdoor remains unclear.
That same year software developers working on a spinoff of Google's Android operating system (called Replicant) discovered a backdoor on Samsung mobile devices, including Samsung's Galaxy series of phones. The backdoor allegedly allowed Samsung or anyone else who knew about it remote access to all of the files stored on affected devices. In response to the discovery, Samsung referred to the backdoor as a "feature" that posed "no security risk."
The other famous phone maker, Apple, refuses to include backdoors in its products, despite repeated requests from the FBI and US Department of Justice to do so. Pressure mounted following the 2015 San Bernardino terrorist attacks in which the FBI recovered an iPhone owned by one of the shooters. Instead of compromising the security of their iOS devices, Apple doubled down on privacy and made their iPhones and iPads even harder to crack. The FBI eventually withdrew their request when they were able to hack the older, less secure iPhone with the help of a mysterious third party.
Plugins containing malicious hidden code for WordPress, Joomla, Drupal and other content management systems are an ongoing problem. In 2017 security researchers uncovered an SEO scam that affected more than 300,000 WordPress websites. The scam centered around a WordPress CAPTCHA plugin called Simply WordPress. Once installed, Simply WordPress opened up a backdoor, allowing admin access to the affected websites. From there, the hacker responsible embedded hidden links to his sketchy payday loan website (other websites linking back to your website is great for SEO).
2017 also bore witness to the destructive NotPetya ransomware. The apparent patient zero in this case was a backdoor Trojan disguised as a software update for a Ukrainian accounting app called MeDoc. When questioned, MeDoc denied being the source for NotPetya. The real question—why would someone choose a wildly suspect Ukrainian accounting app called MeDoc?
In a 2018 news story that sounds like the setup for a straight-to-video, B-movie thriller, Bloomberg Businessweek reported state sponsored Chinese spies had infiltrated server manufacturer Supermicro. The spies allegedly installed spy chips with hardware backdoors on server components destined for dozens of American tech companies and US government organizations—most notably Amazon, Apple, and the CIA.
Once installed in a data center, the spy chips were said to communicate back with Chinese command and control (C&C) servers, giving Chinese operatives unrestricted access to data on the network. Amazon, Apple, and various US government officials have all refuted the claims made in the Bloomberg story. Supermicro, in their defense, called the story "virtually impossible," and no other news organization has picked it up.
Finally, as an example of a situation where a company wishes they had a backdoor, Canadian cryptocurrency exchange QuadrigaCX made news in early 2019 when the company founder died abruptly while vacationing in India, taking the password to everything with him. QuadrigaCX claims all $190 million in client cryptocurrency holdings are irretrievably locked away in "cold storage," where they will sit for decades and eventually be worth zillions of dollars—or nothing, depending on how cryptocurrency goes.