The SolarWinds hack is the most serious breach of governmental and corporate security in years, perhaps the most serious breach ever – at least among those that we know about. The first news of the attack appeared on the FireEye blog at the beginning of this month. From the start, it was clear that this was something beyond the usual hack in terms of its sophistication and impact:
The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.
Key to the intrusion was the insertion of malicious code into the Orion network monitoring software from SolarWinds – a backdoor in software that was very widely used and trusted. Although most analysis has focused on the identity of the attackers – the general consensus seems to be that it was a Russian group, probably with the connivance of the authorities there – it’s worth looking at another aspect: the fact that a backdoor was created in widely used software, and deployed to such devastating effect.
The issue of backdoors is an extremely important one for privacy, as numerous posts on this blog attest. Governments around the world continue to insist that law enforcement agencies must have “lawful access” to encrypted communications, which are in danger of “going dark”, as they put it. But as every security expert points out, adding any kind of backdoor to software that is supposedly secure is a recipe for disaster. It’s like building a physical backdoor in the otherwise massive defenses of a medieval castle. The backdoor becomes not just the weakest point of the entire building, but the obvious weak point. That’s particularly relevant because of the changing nature of the security and hacking landscape. Microsoft’s President, Brad Smith wrote a blog post about the SolarWinds attack, where he notes that there is an “evolving threat“:
the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries. This phenomenon has reached the point where it has acquired its own acronym – PSOAs, for private sector offensive actors. Unfortunately, this is not an acronym that will make the world a better place.
The emergence of these hackers for hire compounds the risk of adding an intentional weakness – such as a backdoor – to critical software. It means that in addition to the usual state actors that will try to break into a system that contains a backdoor, there are a host of smaller but often highly competent commercial players who will try to do the same. That is especially the case if the software that has been backdoored is widely used, since finding a way in will be something that can be sold at a very high price, given its broad applicability. There are few pieces of code more widely used than encrypted communications, one of the main targets of calls for backdoors to be required by law. As a result, the value of an exploit that grants third parties access to such encrypted communications will be even greater. Writing about the SolarWinds attack, Brad Smith also commented:
This is not “espionage as usual,” even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.
Wilfully introducing a potential vulnerability into encrypted messaging programs used by billions of people is also “an act of recklessness”, given the high probability that national actors or PSOAs will find and exploit weaknesses. It is not just reckless, it is also unnecessary.
Back in 2017, the security expert Bruce Schneier co-wrote a paper about encryption workarounds – ways to reveal unencrypted information without the need for any “lawful access” backdoors. The paper divides workarounds into six broad categories: find the encryption key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. Importantly, these are not simply theoretical approaches. Back in October, Privacy News Online wrote about a report from Upturn, entitled “Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones.” One section dealt with security circumvention, and how mobile device forensic tools ( MDFTs) are remarkably successfully in bypassing even the strongest encryption:
MDFTs can often circumvent the security features built into phones in order to extract user data. In response, phone manufacturers continuously patch known security vulnerabilities and develop even more advanced security features, seeking to thwart unwelcome access, including by MDFTs. This “cat-and-mouse game” has evolved over years and continues to this day. MDFTs use numerous tactics to gain access to users’ data on phones, such as guessing a password, exploiting a vulnerability or developer tool, or even installing spyware. With rare exception, MDFTs can nearly always access and extract some, if not all, data from phones.
The real-life experience of US law enforcement agencies shows that encryption isn’t an insuperable problem, despite claims to the contrary from grandstanding politicians. There is certainly no evidence whatsoever that it is serious enough to warrant mandating backdoors in programs used by billions of people. Let’s hope that the continuing fallout from the backdoored SolarWinds software will at least help people understand why.
Feature image by GPA Photo Archive