Since the release of our supply chain assessment of Huawei, we’ve received a lot of questions about backdoors and intent. The most frequently asked question generally sounds like this…
Q: Of the Huawei firmware images you analyzed, 55% had at least one potential backdoor. Can you tell if this was intentional?
While this is a straightforward question, there is no straightforward answer. Intent is nearly impossible to know through a technical analysis alone. From my time working in the cybersecurity field, I know that backdoors come in all shapes and sizes, and the best backdoors can be easily hidden as a security oversight. Let’s explore why.
In cybersecurity, a vulnerability is a weakness which can be exploited by a threat actor, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.
A backdoor is a method of bypassing normal authentication or encryption in a computer system, a product, or an embedded device, or its embodiment. Backdoors are often used for obtaining remote access to a computer or obtaining access to plaintext in cryptographic systems. Although some are secretly installed, other backdoors are deliberate and widely known. These kinds of backdoors have “legitimate” uses such as providing the manufacturer with a way to restore user passwords; however, they almost always weaken security and should be removed before the product goes to market.
In essence, backdoors are a type of vulnerability. For example, leaving an administrative account accessible over telnet using the password ‘12345’ is a vulnerability. An attacker with that knowledge can gain backdoor access to the device. The colloquial term “backdoor” typically means something deliberately inserted. So what is the difference between a backdoor and a vulnerability? Intent, which is very difficult to prove.
The best intentional backdoors are indistinguishable from common vulnerabilities, so they can be 100% deniable.
The key takeaway is that, from an end user’s standpoint, the intent behind a vulnerability is far less important than the simple fact that the vulnerability exists. Whether that vulnerability can be exploited by advanced nation state actors who deliberately installed it or cyber criminals who stumbled upon it is relatively inconsequential. The most important aspect of vulnerability and risk management is understanding your exposure.
At Finite State, we can help you look at vulnerabilities and understand risks hidden deep inside the firmware of your devices, so you can understand your true risks.
Contact us to learn more and see a demonstration of the power of firmware analysis to mitigate risk in the IoT era.