Earlier this month, engineers at a U.S.-based mobile application firm found malware on dozens of new Android devices, Ars Technica reported. The nefarious files were not installed as part of the stock firmware, but rather added later, further down the supply chain. The infected smartphones included malware like “Loki,” which allows hackers to gain salient system privileges. This discovery should give mobile users pause. However, this situation is in no way surprising to those in the data security community.
Technology firms and the third-parties tasked with protecting their devices and software have long struggled with these destructive preloaded programs, collectively called “backdoors.” In fact, programmers have discovered them embedded in Android devices on three separate occasions in recent months. In November, security researchers found a firmware bug that facilitated code-execution attacks in almost 3 million smartphones featuring the Google-built OS. Another identified that same month automatically siphoned off data and stashed it in servers located in China, The New York Times reported.
These digital threats pose serious risks to mobile users, most of whom store sensitive personal and professional information on their devices.
In through the backdoor
Data privacy is a paramount concern these days, as automated technologies are further interwoven into daily life. Most device and software makers understand this and build their products to protect customer information. However, sometimes vulnerabilities develop during the production process and grow into gaping holes through which hackers of all kinds can enter. For instance, the backdoor that saved user data to Chinese servers was the product of miscommunication between device manufacturer BLU Products and the third-party software firm Shanghai Adups Technology Company, which designed a mobile solution to filter out junk calls, mail and texts. Instead, the program collected private information and created a pathway for external threats looking to do the same.
“It was obviously something that we were not aware of. We moved very quickly to correct it,” BLU CEO Samuel Ohev-Zion told The Times.
Indeed, the device company removed the software and ordered Adups to destroy the data. Even so, the ordeal brought to light the danger of backdoors, unintentional and otherwise. It also touched on an ancillary debate involving these vulnerabilities: their potential use as tools of government espionage.
Governments gain access
Adups regularly installed usage monitoring tools within smartphone firmware due to Chinese censorship laws. This factor immediately piqued the interest of national security experts. In fact, the security firm that found the backdoor first reported it to the Department of Homeland Security.
Of course, restrictive governments like China are not in their enthusiasm for backdoors. For example, U.S. agencies have recently advocated for such access in extreme circumstances. Following a 2015 terrorist attack in San Bernardino, California, authorities requested that Apple provide access to the attackers personal devices. The technology firm refused. However, this didn’t stop the FBI, which leveraged undisclosed software to pinpoint and take advantage of a previously unknown firmware vulnerability. Apple and data privacy advocates protested the agency’s use of the backdoor.
“Courts should be skeptical going forward when the government claims it has no other option besides compelling a device maker’s assistance,” Riana Pfefferkorn, a cryptographer at Stanford University’s Center for Internet and Society in California, told The Times. “Now that the FBI has accessed this iPhone, it should disclose the method for doing so to Apple. Apple ought to have the chance to fix that security issue, which likely affects many other iPhones.”
As expected, most information technology experts believe governments should be denied access to backdoors, according to survey data from Statista. Why? These features compromise user privacy in the hands of both hackers and white hats.