Skip to main content

Getting Ready for the All Clear for Backdoors?

Introduction

As GDPR heads towards an increasing application of encryption, the US may move towards legislating for a backdoor on crypto - named "responsible encryption". The justification revolves around cases such as for Syed Rizwan Farook who open killed 14 people in San Bernardino. Within the investigation, the FBI put considerable pressure on Apple to open the phone, but they refused. After this, the US government pushed through a court order to force Apple to produce a new operating system which could be unlocked, and again Apple refused and said that it was "a threat to individual liberty". Many now see strong encryption as the key weapon in a battle between perfect encryption and a Big Brother society, and where civil liberties are the ultimate target. And so to soften the tone of the debate, the term exceptional access was coined.

Clear

While President Obama dismissed the application of backdoors into crypto, it is now being pushed forward within the Trump administration. The method being proposed - Clear - was patented  Ray Ozzie and who was the creator of Lotus Notes.  His method involves:
  1. Obtain a warrant to locked the encrypted phone.
  2. Access a special screen generates a QR code containing an encrypted PIN.
  3. Send the QR code to phone’s manufacturer, and they check the validity of the warrant.
  4. Manufacturer of the phone then sends the decrypted PIN to investigators, and who can then unlock the phone.
With this, the manufacturer has a key pair - a public key and a private key. The private key is stored securely by the manufacturer in a highly secure environment. This key pair is then used to encrypt a security PIN and stored on the device. That PIN would only work on that specific device and on no others. The device would also contain a time bomb, and where it will freeze its contents so that it could not be used - in order to stop any tampering of a device for surveillance reasons. The following outlines the basic operation:


Other backdoors

Overall there are a number of ways that a backdoor can be added to a piece of software:
  • Escrow. In encrypted communications, one method is to keep of copy of the encryption key that could be used at some time in the future. Details [here].
  • Defining a standard that you know you can crack. The NSA and law enforcement agencies around the world have been accused of helping to define a standard and setting various parameters, and they know they have the methods to crack them.
  • Source code addition backdoor. This is the typical way that an intruder would add a backdoor, and where the additional code is added which will perform a task that allows the source code writer back into the system. Normally the code is added by the writer, but then an intruder finds out the backdoor, and can exploit it.
  • Injected code backdoor. With this packages such as Metasploit insert some additional code into the application, and which allows it to work the same, but creates a backdoor connection. Normally this is a call-out method, where the program calls-out to the malware writer. 
  • Compiler backdoor. This is the best method for going undetected, and where the compiler, itself, adds the additional code to every program which uses the compiler. In terms of mass exploit, the compiler backdoor will have the greatest scope as it will exploit a wide range of applications. The executable will also be signed to verify that it is a valid application.
  • Vulnerability and XSS exploit. This involves compromising a system in order to create a backdoor, typically injecting code into a running application which causes the system to open-up a backdoor connection.
The open-up of a network connection will obviously be detected on the system, but code writers have implemented a number of smart ways to cover this up, including passing secret pass phrases for passwords, or with port knocking, where network packets are sent to a well-known open port, which then causes another port to open.

A. Defining a standard you know you can crack

A key focus for law enforcement is the cracking of cryptography, especially for tunnels and VPN connections. Devices created by Juniper were found to have a flaw which allows agencies to decrypt VPNs traffic. The company may have also used Dual EC (Elliptic Curve) DRBG (Deterministic Random Bit Generator) for generating the random numbers required to create VPN tunnels. This method, which was promoted by the NSA, has a known weakness and can be cracked.
The possible backdoor in Dual EC DRBG has been known about since 2004, and the team who worked on it had the chance to plug the gap but failed too. It thus allows law enforcement agencies to crack SSL/TLS encrypted traffic which used the method for random number generation. It was thus assumed that no-one would use the method, but, in Juniper's case, it has been found in some of their devices.

In 2013, Edward Snowden showed NSA memos which indicated that the NSA had been the sole editor of the standard, whereas NIST responded that it did not deliberately weaken any cryptography standard. The following year, NIST recommended that companies stop using it, and withdrew it from its draft guidance on random number generation. In 2013, also, OpenSSL was found to be implementing the method, and which allowed TLS/SSL connections to be decrypted.

The back door in the standard for Elliptic Curve method for Dual_EC_DRBY caused a great deal of suspicion on the definition of NIST's P curve standards, and that they had selected them so they could have an advantage in breaking the public keys. Most of the industry has moved away from the P standards (such as P-256) and towards Curve25519 (which is shown in the graphic on the right-hand side and which was created by Daniel J Bernstein), and now used by Tor, Signal, What's App, Facebook, OpenSSH, and many other standards. In 2013, Bruce Scheiner stated that he didn't trust the values selected:
I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry
I have plotted some of the standard Elliptic Curve parameters [here], but here is the beauty of Curve25519.

B. Source code additional back door

It has long been the case where code writers have added additional code which allows them back into the code whenever they required. They will often add debug functions which can be remotely enabled, but where the forget to switch-off. This backdoor method works well, until the source code is read, and the additional code is revealed. With the rise of Git hub repositories, it can become obvious as to when the backdoor has been added. The following outlines a few backdoors:



A classic backdoor was added to an FTP server (vsftp), and which has an intentional backdoor within the version running on it. The back door is exploited with the username ending with:
“:)”
and then the server listens on port 6200 and awaits a connection:

root@ubuntu:~# telnet 1.2.3.4 21

Trying https://www.linkedin.com/redir/invalid-link-page?url=192%2e168%2e99%2e131...

Connected to https://www.linkedin.com/redir/invalid-link-page?url=10%2e200%2e0%2e1.

Escape character is '^]'.

220 (vsFTPd 2.3.4)

user mybackdoor:)

331 Please specify the password.

pass none ^]

telnet> quit

Connection closed.

telnet 1.2.3.4 6200

Trying https://www.linkedin.com/redir/invalid-link-page?url=10%2e200%2e0%2e1...

Connected to https://www.linkedin.com/redir/invalid-link-page?url=10%2e200%2e0%2e1.

Escape character is '^]'.

id;

uid=0(root) gid=0(root)
 
The UnrealRCD IRC daemon runs on port 6667. The version on Metasploitable has a backdoor where the user sends “AB”, and then follows it with a system command on a listening port (see demo above).

B Intentional backdoors

Cryptography cracking is often one of the most challenging areas for investigators to crack, so there have been many allegations of companies tampering with source code in order to create backdoors. While these are not necessarily network connections, the software is modified in a way which changes the functionality of the encryption function.

One company, Crypto AG, a Swiss cryptography company who make encryption machines, had been accused of modifying their software in collusion with intelligence agencies from Germany (BND), the UK (GCHQ) and US (NSA). This was highlighted, in 1986, when Ronald Regan announced that the US had intercepted encrypted diplomatic communications between Tripoli and Libyan embassy in East Berlin, related to a bombing in Berlin. In 1992, the Iranian government even arrested Hans Buehler, a salesman for the company, but who was released in 1993 without revealing any flaws in the machines (and after $1 million bail money was paid).

Crypto AG soon after dismissed Hans, and requested he paid back the $1m. Since then Der Spiegel has interviewed former employees and concluded that the machine was indeed rigged. Even after several other investigations, there is still no conclusive proof of the rigging, but some suspect that the relationship with defence agencies goes back to 1954.

C Juniper backdoor

Juniper recently announced that there were two backdoors on their devices, and which allowed intruders to gain administrator access and also decrypt the encrypted content. It was the kind of shock that has not been seen since the asleep script was released, and which could crack most Cisco Wi-fi access points which used the LEAP authentication method.

With backdoors in cryptography being a hot topic, Juniper revealed that it had traced “unauthorized” code within its ScreenOS operating system on some of its firewalls, and which allowed an intruder to take complete control of Juniper's NetScreen firewalls using a hard-wired password. This would allow them to decrypt all the encrypted traffic for VPN connections. There is a patch for this, but intruders can now determine the required password - which has been hard-wired into the code - by examining the ARM code used in the backdoor:


The strange thing is that the password is "<<< ." and looks like standard C++ compiled code. It is a bit like adding:

password = "let a = b + 1" 
 
The following is a sample login:

$ ssh system@192.168.1.1

Password: <<< %s(un='%s') = %u
 
Analysts have already managed to identify the password in just six hours. Overall the logs would just show that there was a successful login with "system":



In 2013, Der Spiegel outlined the FEEDTHROUGH method which maintained a backdoor onto Juniper firewalls. This approach was different to the methods outlined in the latest backdoors, as it was a post-compromise.

D. Injected code backdoor

With this packages such as Metasploit insert some additional code into the application, and which allows it to work the same, but creates a backdoor connection. Normally this is a call-out method, where the program calls-out to the malware writer. The following shows the addition of call-back code into the Putty.exe application:



This method is normally detected by virus scanners as it often adds a standard piece of code which can be detected on a system. When downloading standard programs, it is often important to take the hash signature of the application, in order to determine if it had been modified.

E. Vulnerability and XSS exploit

With a vulnerability exploit, the code writer has allowed the exploit to propagate through the system and cause it to open-up a backdoor. This typically involves an XSS (Cross-site script), where some code is injected into running software and which propagates through the system to open-up a network connection. Adobe Flash is a major contender here for this type of exploit where some shell code is fed through the Flash plug-in and onto the system. There are many examples of where Flash has been compromised, in order to feed the code through, as it is typically running with high levels of trust on the system.

F. Compiler injection backdoor

In 1984, Ken Thompson, inventor of Unix, outlined how he could be injected a virus into a compiler. For this he added the code into the code being compiled, and also into the compiler itself, so that the malware could be sustained in future versions of the compiler. He thus knew how to inject the malicious code into the compiler, but not leave a trace in the source code. As it was compiled into the lowest level of the code, it is almost impossible to detect the added code, as the source code shows no sign of the added code. While 1984 was the year of the release of the Apple Mac, it is Apple who were one of the first to be pin-pointed by the methods that Ken outlined in the same year

A compiler converts high-level code, such as C++ or Pascal, into a machine ready equivalent (machine code). This can either be done to produce a portable executable, such as an EXE in Microsoft Windows. One way to compromise an application is to create a backdoor in the compiler, so that a line of code such as:

Console.WriteLine("Hello")
 
could be compiled to perform the machine code equivalent of:

Console.WriteLine("Hello")

TcpSocket(9999);

which might open-up a network port (9999) which could be connected to. In this way when the app was uploaded onto a site, it would look as it was a valid compile. It thus means that good applications will be infected in the same way as bad apps, and will be signed by a trusted certificate.

XcodeGhost

WithXcodeGhost the target was Apple iOS, and which replaces Apple's Xcode (which is used to create iOS and Mac OS apps).Unfortunately it is rather large to download (over 3GB), so in countries such as China developers have had to download Xcode from untrusted sources, which had a backdoor added to it. This resulted over 300 back-doored apps being added to the Apple App Store, including WeChat which is a messaging app used by over 600 million people.

The malware itself is able to show phishing pages which are used to steal user credentials, and it does seem surprising that Apple allowed more than three dozen backdoored apps to be hosted on the App Store, including WeChat, Didi Kuaidi (a similar app to Uber for car-hailing), and NetEase Inc (a Spotify-like music app).

Normally a program is produced and then signed with the private key of the developer, which verifies that it has come from a trusted source (a public key then verifies that the code has come from a trusted source and also that it has not been modified - known as code signing with a strong key). So, in the case of XcodeGhost, valid developers will produce signed apps but where they have a backdoor added in the executable program.


Conclusion

The debate about backdoors in cryptography is now one of the most fundamental of the 21st Century, and it will not go ahead any time soon. With many countries looking to ban anonymous VPN access, the tension between security and privacy is just going to grow larger. GDPR moves towards the rights of the citizen to privacy, but law enforcement still wants exceptional access. A store of keys in escrow would be a major target for any adversory, and a breach of this would cause a massive security hole in the Internet.



Comments

Popular posts from this blog

Twitter Password Reset and Media Panic Stories

  Introduction The Twitter data breach showcases the possible up-and-coming storm from the media on data breaches, especially that it still struggles to understand some of the technical elements involved in a breach. With the Facebook/Cambridge Analytica story making the news headlines, the media now know that they have a technically-related topic that the general public are interested in. And so Twitter is the most recent major Cloud Service Provider who has hit the headlines: So many in the media this was pushed as a major story, but it was just a typical story of someone making a mistake and which was quickly righted. The chances of any related data breach is minimal as it was only an internal processing mistake. For most companies the error would go unreported external, but in the days of the media chasing for cover-ups and evidence of bad practice, Twitter did the right thing and reported it. The media, of course, go for shock headlines, and which can panic users (and sha

The Domain Reminder "Scam"

Introduction You may know that I often follow-up on scamming emails, in order to investigate the true motive for their attempt. So here I would like to outline a scam which looks fairly passive but tricks the user in its usage of wording. The Scam First the scamming company search DNS records and locate a domain which is near to timing-out and gain the email address of the registered person. Next they draft an official looking email which looks like it knows lots of details about the domain and account holder, and which warns them about a domain which is expiring: But the wording is strange here, and there's nothing illegal in what they are offering. In quickly reading the email, it seems that they are warning you that your domain is expiring on 28 June 2017, and that it will be cancelled . But read more closely ... it is their offer of the SEO registration that will be cancelled on 28 June 2017! This is the same date as the domain is actually going to time-out, so they