By Rodrigo Fragola, Deputy Director of Defense and Quality at ASSESPRO-DF and President of Aker Security Solutions
Never before in this country has a keyword been so popular in the media – and probably in search engines – as the expression "back door". And here we are not referring to the humorous troupe of the moment, but to the Portuguese equivalent for the expression "backdoor", and this exclusively when this word appears related to computer or telematic incidents.
A curious fact, however, is that while the issue is trivialized in all types of forum, and even at dinner tables, there is still no clear proposal for regulation on this topic in the National Congress or in the security bodies. .
Without pretending to be the introducer of one, I ask permission, at least, to give an opinion on the pertinence of reflecting on the need or not of specific legislation.
The issue is quite complex. It was through backdoors – according to the security company SafenSoft – that, in 2014, cybercriminal agents managed to inoculate "Ploutus", a malware adapted as a cash dispenser, in hundreds of ATMs in Mexico, using just one innocent CD-Rom door that – amazingly – still existed and was exposed in countless equipment of this type used in that country.
In this specific episode, it becomes clear that the backdoor is nothing more than the result of a foolish vulnerability, attributed to a design error or a naive assessment of the risk to which ATMs are subjected.
In fact, when a backdoor is discovered, whether in a branded device or in a commonly used application, the most common thing is that it is immediately treated as a "development bug" and exposed in this way to the public, which is not it's always true. In fact, an apparently casual bug may have been deliberately inserted exactly to generate a backdoor, leaving the consumer/user unaware of the real origin, accidental or planned.
In other words, the most worrying backdoors are those produced in the opposite way to what happened with the aforementioned ATMs in Mexico, that is, those that are designed as an essential part of the software or hardware product.
Always involved in the most heated controversies, this type of backdoor was the pivot of very high discussions between the two greatest world powers when, last year, the Chinese government made public a part of its anti-terror bill, which obliges national or foreigners to install backdoors in their computer products, in order to give guaranteed access to such products, when in use, to the state security agencies.
In its vehement and morally just complaint, the US government has forgotten the basics. That is: from its own numerous legal provisions that not only require backdoors for hardware systems, but also for applications, social networking systems and even – which is neither openly assumed nor emphatically denied – for personal machine operating systems. or network servers.
In fact, already in the beginnings of the Internet (which, by the way, was initially developed for American military interest), the intelligence and defense of that country already projected the "Carnivore", a kind of cybernetic tarantula capable of sweeping all the points of global network exchange, scanning keywords exchanged in e-mail messages or postings on websites and any type of information that circulates on the World Wide Web.
In order to legally support Carnivore and the like, in 1994 the US government passed the Law Enforcement Communications Aid Act (CALEA), granting legal authorities not only the right to access via backdoors (which must be installed in network equipment), but also the maintenance of checkpoints, along the entire Internet, for logical, semantic and even phonetic monitoring (vocal, for identifying people).
And there are countless other devices, some even much older than the already veteran Carnivore, such as the Echelon. Created from the intelligence agreements between the USA, England and other allies at the end of the Second World War, the Echelon was put into operation decades later, in 1980. Today, this is notoriously one of the central devices of the group known as "five eyes", for involving the intelligence services of the USA, England, Canada, Australia and New Zealand. Echelon is nothing more or less than a global network explicitly geared towards overt surveillance. He doesn't belie his spy role in gathering critical information that the Five Eyes group classifies as SGINT, or "sensitive signals of intelligence".
But, if, as we have seen, there are accidental backdoors – the result of a design error or naivety – and backdoors that are intrinsically undesirable (although militarily justifiable), since they are designed according to state interests and almost always affronting our privacy, it is also necessary to emphasize that there are a kind of "good" backdoor.
These are, for example, interfaces contained in hardware or programs that enable the manufacturer or maintainer to provide support, improvements or developments to the remote device. It is even through ports of this type that the protection systems against virtual intruders are often updated. Such backdoors, however, are among cybercriminals' preferences as a way to reach their loot.
So, discussing a regulation for backdoors raises at least three initial questions that, of course, are not intended to exhaust the topic:
1 – Is it possible (and recommended) to ban backdoors? If so, on what technological basis is such a ban feasible without causing unbearable harm to industry, state security, or end users?
2 – It is possible to establish legal controls over legal or illegal backdoors; and, again, on what technical basis, beyond the legal/political scope?
3 – Where to start the regulatory framework; what are the models already in force in other countries that we could look for for the purpose of discussion?
The only answers I have at the moment are that unintentional backdoors represent a simple matter of process engineering and management strategy. It is up to the industrial sectors related to computing and telematics to improve the design of products through mapping and risk assessment.
The security industry is an essential ally in advancing excellence in locating and combating vulnerabilities, as well as in automating backdoor identification, surveillance and access control systems.
On the other hand, "service" backdoors, which have benign purposes, are natural objects of the cyber and telematic world and require the same security engineering care described above for accidental holes. But they give us, theoretically, the advantage of being known entities and technically described in the device's projects and are available to the user/manager to prevent intruders.
As for backdoors arising from war legislation or state impositions in general, the complexity of the answer goes far beyond the technical question and calls for a discussion that covers topics such as the geopolitical applicability of countries' digital legislations.
It is a rough and difficult – but urgent – issue for society as a whole and especially for the legislature and the security and defense community.
What is certain, for now, is that whatever direction this discussion takes, the debate will not advance without the indispensable contribution of the technology community. It is necessary, however, that the State and our citizen institutions grant recognition and reliability to national academic, industrial and military groups that are, in fact, willing to debate the matter in the light of specifically Brazilian interests. Exactly as it happens in several other countries, in relation to their national organizations and companies.