Predictions on Backdooring Encryption
InfosecThe subject of gaining backdoor access to your private life isn’t a new one. In fact, before modern technology, authorities and organised criminals sought ways to listen in to places they shouldn’t – so what’s up with the latest attempt at gaining a peak into your private communications?
UK and US spy agencies spy on people. That’s a given, it’s no secret. What’s surprising is how brazen they are at wanting to make this easier. Spying is an artform that’s centuries old, and takes skill passed down from generation to generation – the tools, tactics and procedures (TTP’s) change, but the outcome remains the same.
So asking to backdoor communication tools such as WhatsApp, Facebook and other messaging apps just seems damn lazy in my opinion.
Let’s take a quick hypothetical look at how this might play out. Technically we can achieve anything, what matters is the risk it introduces - to technology, consumers and business.
Breaking the encryption mid-stream isn’t an option. Doing so causes inherent weaknesses within the protocols designed to protect data, resulting in not only abuse from other threat actors (criminals, other governments etc), but also destroys the trust consumers have on the very technology designed to protect them. In turn they either go elsewhere, or stick with the last known good (even worse because as time goes by, more weaknesses are uncovered).
What about backdooring the applications themselves? Still let end-to-end encryption fly, but break it open at the source\destination. This has recently been proposed by UK spy leaders as an opening discussion to industry.
If a closed source vendor such as WhatsApp comply, will the majority of consumers really care? Probably not. They’ll continue sending memes and group-chats trying to get 12 people to a restaurant on time, without a care for anyone watching. Who will care? The criminals, and they’ll have plenty of platforms to choose from. It will become a tedious game of whack-a-mole.
That is until the backdoor is abused. Then it becomes a problem both for consumers, and business. Who’s the blame? Who pays the ICO fine? Ironically with the recent WhatsApp vulnerability that hit the news, CVE-2019-3568 we didn’t see a dip in subscriber numbers at all. I suspect if the story was different, i.e. the government mandated access method was compromised – users would seriously consider their choice in product.
What about opensource projects such as Signal (the ones all the criminals just moved to)? Assuming they have no obligation to comply, and forgetting all the forked equivalent projects focusing on vigorous code review - the worst case scenario is that authorities compel Apple and Google to pull the app. The result? A rise in the use of side-loaded apps, jailbroken phones and further risks introduced to privacy minded people as a result. Or we’re back to the ‘last known’ good scenario, where users stay put.
I don’t know what the right answer is for authorities who are genuinely looking out for our interests when it comes to global terrorism, but the universal backdooring of popular technology products isn’t going to win. Technology is a key part of espionage, and from recent news – there doesn’t seem to be a shortage of government owned zero-day weapons available to fight the good fight. Backdooring protocols (such as TLS) fails to compel open standards bodies like the IETF. Backdooring products such as WhatsApp will only compel the real bad guys to go elsewhere.
Perhaps focusing on those generations of skill, talent and stealth still works, eh?