Don’t worry, the backdoor to your data already exists

iPhone Passcode

Risk assessment: we’re not even safe in the air anymore. Every time you log into a device and have it connected to the space we call the Internet, it most likely checks for automatic updates … unless you’ve turned them off. Depending on how urban you are, it might be a good idea to do so. Because the very developers you’ve purchased your software from most likely also provided hackers with a pre-installed backdoor. Sort of.

In a recent article on Ars Technica, Leif Ryge discusses the importance of the ongoing encryption battle between Apple and FBI. The FBI demands that Apple develops a new operating system (likely a modified version of iOS); one that would assist the FBI in catching criminals without having to turn to Apple for help –this would also set a nefarious precedent. The Feds also demand that Apple’s devices no longer delete certain data after a limited number of failed PIN unlocking attempts. It would effectively let anyone abuse your phone for hours on end, should they get their hands on it.

There’s also a push for Apple to provide the FBI with a “backdoor” to their operating system — even Apple is calling it such. But that backdoor has existed for a long time; it simply takes the right key to get access, and that’s something the FBI is very interested in. Giving in to those demands would put other IT companies in an awkward position, and unlikely to succeed in refusing the FBI themselves. The clincher is that other countries could follow in the those tracks. After all, if the iPhone is accessible by the United States, why shouldn’t it be the same in, say, China?

But before we start concerning ourselves with whether China will be hacking their way through smartphones on an international level, there’s already a major security flaw to address. Because in pretty much every software update you receive, be it on your computer, tablet, or phone, there’s a hacking buffet awaiting the one that gets a hold of that update’s master key. Assume that this is your operating system for one moment, take a few steps back and breathe.

How often is your device automatically updated (assuming you have that option turned on)? How about the entire OS? For an OS, it most likely checks whether or not you’re using an authentic version of the software before starting the update. At that very moment, it will often use the previously mentioned master key. There can be several keys to get access to your system, and due to their nature, they’re cryptographic single points of failure. They are access points rather than safeguards, should they fall into the wrong hands.

If you’re having a bad day, and a poorly mannered hacker passes by your digital life, they might infer it’s a good day to check for someone with a false sense of security. Provided the conditions are right, the hacker could be in a position to pose as an authentic update to your device. In a worst case scenario, this then equals a malicious automatic update delivered directly to you, one which the hacker tricks your device into believing is real. It wouldn’t look dangerous. For all you’d know it looks like an update with puppy eyes, meant to improve your system stability and ask you to play around with all the new toys/features.

“But,” you ask, “if this key is so powerful, what happens if it’s not just some lone hacker that gets access to that key?” Massive damage, perhaps. It all depends on the intentions of your hacker. The crucial point is that they essentially will have the ability to do as they please with your device. All due to a deliberately placed security system that’s getting outrun by both governments and criminal organizations.