Cybercrime: Hidden backdoors to enterprise data

Keyhole on computer screen

The word "backdoor" is regularly used in conversation between enterprise IT security folk. Generally, this will involve speculation about the US Government calling on Linus Torvalds to code one into the Linux OS, for example.

Occasionally, though, talk will turn to developer tools left in firmware or clever hackers finding unlikely routes into corporate networks via a printer or some other peripheral.

But just how much of a threat are backdoors to your data, and what should you be doing to mitigate the risk?

Unexpected routes to illegal access

D-Link recently patched the firmware of its routers after security researcher, Craig Heffner, discovered a backdoor that let him bypass the authentication process and access the device's web-based admin interface. The same researcher has also found backdoors in Chinese router manufacturer Tenda's products.

When an attacker has gained access to a system and elevated their privileges, adding a backdoor is often the next step.

Why is that important? Well, in the case of router backdoors, it's a triple threat you're faced with. First there's the damage that can be done, such as changing of passwords, disabling encryption and blocking access.

These devices also tend to have long lifecycles in most SMEs and, apart from power-cycling reboots every now and then, they are pretty much a fire-and-forget thing.

Furthermore, the process of upgrading firmware is so time consuming very few people ever consider doing it unless something is obviously broken and stops working properly. Router firmware security upgrades are rarely on the radar of the average enterprise.

Then there is HP, which admitted earlier this year to undocumented remote support backdoors in its StoreOnce D2D and StoreVirtual products that could potentially lead to hackers gaining root access to the OS and putting the data stored within at risk. These backdoors have since been patched.

Hackers know disassembling firmware, although time consuming and complex, can be worthwhile. Finding a remote debugger in the production testing code that was overlooked when the product went to release can be just as useful to a cybercriminal as finding a zero-day in software (if not as lucrative in financial terms).

Device-level vulnerabilities might be all but ignored by the IT department, but you can bet the bad guys will happily exploit them in any way they can for political reasons, malicious disruption, or as an alternative way to cause a data breach.

Not all backdoors are of the developer tools variety. Some are simply malicious, as Owen Wright, head of assurance at Context Information Security, points out.

"When an attacker has gained access to a system and elevated their privileges, adding a backdoor is often the next step to allow them to regain control if their initial compromise is detected.

"The most trivial examples of this include adding user accounts to a system (e.g. backup', guest') that look innocuous but allow the attacker to regain control of the system easily. Or, adding a program that runs every time the computer is booted and allows access," he explains.

"A more sophisticated example would be to change the password reset functionality of a system to send an attacker a user's password every time they change it."

There are also front doors that become backdoors through bad usage. "I think that the most common backdoors are actually left-out forgotten front doors," warns Amichai Shulman, chief technology officer of Imperva.

These are often "misconfigured, abandoned FTP servers, test applications left open to the world," he continues.

"Unnecessarily left-open admin interfaces could be used as backdoors by attackers either because they were mis-configured or have unpatched vulnerabilities that allow attackers to create a bridge head inside the organisation's network."

Some backdoors are mistakenly not considered a security risk. Take the good old Multi-Functional Device (MFD) found in most offices, the ones that nearly all contain a hard drive.

Quentyn Taylor, director of information security at Canon Europe, told IT Pro its recent Office Insights report revealed how two-thirds of organisations work with sensitive information, yet 79 per cent print on an MFD that is accessible to others.

"This means vast amounts of information is at risk due to failure to prepare properly," Taylor warns.

"Our own research indicates companies are failing to safeguard information at the crucial output stage. If a document is printed on a device that can be accessed by others, it's at risk of both accidental document leaks and malicious theft."

As Tim TK' Keanini, CTO of Lancope, says backdoors are everywhere and it is just matter of time until they are discovered.

"The problem we have right now is the bad guys are the ones more motivated and funded to find them first," he said.

But the good news is that, compared to a decade ago, the exploitation of these hardware backdoors is relatively uncommon.

"As a penetration tester for four years, coming across a backdoor was fairly rare," explains Adrian Sanabria, senior security analyst with 451 Research. "Finding default credentials were much more common."

Sanabria says the security community has tried to shed light on the common issue of developers unintentionally uploading private keys to publicly accessible code repositories, like GitHub.

"While not a back door, per se, this issue allows the compromise to occur in the same manner," he tells IT Pro. "What makes any back door so dangerous is that no alarms go off when an attacker accesses it, as only one successful logon attempt occurs".

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.