A “golden key” or a universal back door method, allows the bypassing of normal authentication in a product, computer system or algorithm. If used ethically it can be used for securing remote access to a computer system or for debugging purposes. The controversy surrounding golden key methodology stems from the fact that in the wrong hands, it can also open up physical access to those with malicious intent.
Major hardware manufacturers like Apple, Microsoft and Blackberry have taken publicly dissimilar positions on releasing universal back doors to their devices. As the world increasingly depends on devices supplied by these few suppliers, it is important to know where they stand, so you have an idea where your sensitive personal data is likely to end up.
Apple and San Bernardino
Perhaps the most publicized debate on universal backdoor keys took place after the 2015 San Bernardino terrorism shooting in the US. After the deadly attack, the FBI demanded that Apple create a universal back door to the iPhone’s operating system to access one of the terrorist’s devices, to which Apple refused. Apple was successful in legally defending their position against the FBI’s request. Apple suggested that it is unable to create a backdoor exclusive to the individual phone in question, and that by being forced to hack its own security systems, it would be unlocking access to all of its devices.
The FBI withdrew their request in 2016, when they said a third party (rumored to be Cellebrite) managed to unlock the shooter’s iPhone.
Microsoft and Secure Boot
Microsoft had developed a golden key. They have also learned first hand the dangers of this security issue after the golden key was accidentally released.
The key was discovered in March 2016, when security researchers (referred to as “MY123” and “Sliptstream”) found it preloaded on Microsoft devices. The key was likely designed for internal debugging purposes so developers could have a shortcut to run operating system checks. However it can allow those with access to it the ability to unlock any device (phones, tablets, and workstations) that is protected by Secure boot.
Secure boot is a feature that ensures each component loaded during the boot process is digitally signed and validated. It essentially makes sure your device boots using only software trusted by the PC manufacturer or user. Secure boot would normally block attackers from having access to your machine. But with an open back door, those with malicious intent can now have access as well.
When Microsoft was made aware of this unintentionally exposed back door, they initially downplayed its significance. However, after several months, the security researchers were paid a bug bounty and a patch was slowly released. Since then, Slipstream and MY123 were able to bypass Microsoft’s fix and insist that the issue will persist and Microsoft may be unable to ever completely reverse this leaked key.
Blackberry and the RCMP
Blackberry claims that they do no provide decryption keys to anyone. They will however cooperate with law enforcement under special circumstances or via court order, according to CEO John Chen. However it was discovered last year that RCMP has had access to master key to BB encryption since 2010.
Unbeknownst to Canadians for several years (as is typically the case with backdoor access), the RCMP had access to one million encrypted messages from 2010-2012. For consumer grade phones the decryption key is still likely in the RCMP’s possession. It seems that same encryption key would not work on business and corporations running Blackberry Enterprise Server.
While RCMP claims the universal decryption key that was necessary to help investigate a Montreal mob related killing, at the end of two years of secretive surveillance nobody stood trial for the shooting.
C.I.A. and WikiLeaks
In March of 2017, WikiLeaks released the largest leak of C.I.A. documents in history. The leak released thousands of pages of information that details how the the agency breaks into smartphones, computers, even smart televisions. It also included the actual code for cyber weapons (partly redacted by WikiLeaks), in addition to the code names for C.I.A projects.
Perhaps this is the most significant example of universal back door being problematic. The CIA uses its hacking ability to carry our espionage against foreign targets CIA, with the information leaked, other nations will likely be able to attribute attacks on their own infrastructure back to the source.
Things to Consider
Government officials and politicians worldwide (the FBI, British secretary Amber Rudd,etc.) have claimed that without back doors into messaging apps, or mobile devices manufactures are enabling a secret place for terrorists to collaborate and communicate.
However, security by-pass commands like universal back doors and golden keys don’t protect users privacy. It is almost never disclosed to end users that they exist, and are inevitably found, stolen, leaked or discovered, putting consumer’s sensitive data at risk.