China Possibly Hacking US “Lawful Access” Backdoor
The Wall Street Journal is reporting that Chinese hackers (Salt Typhoon) penetrated the networks of US broadband providers, and might have accessed the backdoors that the federal government uses to execute court-authorized wiretap requests. Those backdoors have been mandated by law—CALEA—since 1994.
The wiretap systems, as mandated under a 30-year-old U.S. federal law, are some of the most sensitive in a telecom or internet provider’s network, typically granting a select few employees nearly unfettered access to information about their customers, including their internet traffic and browsing histories.
But for the technologists who have for years sounded the alarm about the security risks of legally required backdoors, news of the compromises are the “told you so” moment they hoped would never come but knew one day would.
The Washington Post reported on the hacking campaign yesterday, describing it as “an audacious espionage operation likely aimed in part at discovering the Chinese targets of American surveillance.” The Post report attributed the information to US government officials and said an investigation by the FBI, other intelligence agencies, and the Department of Homeland Security “is in its early stages.”
The Post report said there are indications that China’s Ministry of State Security is involved in the attacks.
This incident should henceforth be the canonical example when arguing against “back doors for the good guys” in any networks or protocols. It’s not fair to say that all back doors will, with certainty, eventually be compromised, but the more sensitive and valuable the communications, the more likely it is that they will. And this one was incredibly sensitive and valuable. There are downsides to the inability of law enforcement to easily intercept end-to-end encrypted communication, but the potential downsides of back doors are far worse.
According to a 2016 paper from Public Safety Canada, “Australia, the U.S., the UK and many other European nations require CSPs [Communications Service Providers] to have an interception capability”; it also notes Canada does not. Such a requirement is understandable from an investigative perspective. But, as Pfefferkorn says, capabilities like these have been exploited before, and it will happen again. These are big targets and there are no safe backdoors.
Previously:
- Proposed EU Chat Control
- Extending Section 702 of FISA
- Privacy Is OK
- ProtonMail Opposes EU Golden Key
- Attorney General William Barr on Encryption Policy
- The Time Tim Cook Stood His Ground Against the FBI
- Ray Ozzie’s Encryption Backdoor
- Apple, CALEA, and Law Enforcement
- Microsoft Leaks Its Golden Key
- Why Are We Fighting the Crypto Wars Again?
- Apple Working on Removing iOS Backdoor
- FBI Asks Apple for Secure Golden Key
- Secure Golden Key
2 Comments RSS · Twitter · Mastodon
This is the inevitable outcome of any backdoor. It's inherently insecure and shouldn't exist
Sharing an access key / certificate with someone who can’t control its security, I mean saying that’s inevitable means any user account or ssh key on any system is compromisable.
What does that say about IT? We have been talking around that secret since its inception? Mind blowing.
