A backdoor is a means to access a computer system or encrypted data that bypasses the system's customary security mechanisms.
A developer may create a backdoor so that an application or operating system can be accessed for troubleshooting or other purposes. However, attackers often use backdoors that they detect or install themselves as part of an exploit. In some cases, a worm or virus is designed to take advantage of a backdoor created by an earlier attack.
Whether installed as an administrative tool, a means of attack or as a mechanism allowing the government to access encrypted data, a backdoor is a security risk because there are always threat actors looking for any vulnerability to exploit.
In her 2000 article, "Who gets your trust?" security consultant Carole Fennelly used an analogy to illustrate the situation: "Think of approaching a building with an elaborate security system that does bio scans, background checks, the works. Someone who doesn't have time to go through all that might just rig up a back exit so they can step out for a smoke -- and then hope no one finds out about it."
How backdoors work
Backdoors can vary widely. Some, for example, are put in place by legitimate vendors, while others are introduced inadvertently as a result of programming errors. Developers sometimes use backdoors during the development process, which are then not removed from production code.
Backdoors are also commonly put into place through malware. A malware module may act as a backdoor itself, or it can act as a first-line backdoor, which means that it acts as a staging platform for downloading other malware modules that are designed to perform the actual attack.
Encryption algorithms and networking protocols may also, at least potentially, contain backdoors. For example, in 2016, researchers described how the prime numbers used in encryption algorithms could be crafted in such a way that could enable an adversary to factor the primes -- and thereby break the encryption -- of encryption algorithms previously thought to be secure.
In 2014, an approach to random number generation called Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) was found to have a fault in it that made its resulting random seed numbers somewhat predictable. The security community's consensus was that the NSA allowed the standard to be used, even though it knew there was a weakness, so that they could use it as a backdoor.
Detection and prevention
Backdoors can be very difficult to detect, and detection methods vary considerably depending on the computer's operating system. In some cases, antimalware software may be capable of detecting backdoor software. In other cases, security professionals may need to use specialized tools to detect backdoors, or use a protocol monitoring tool to inspect network packets.
There are several different strategies for avoiding backdoor attacks. First and foremost, organizations need to adhere to security best practices, such as avoiding untrusted software and ensuring that every device is protected by a firewall. Application firewalls can also help to prevent backdoor attacks, since they restrict the traffic that can flow across open ports. It is also important to monitor network traffic for signatures that may indicate the presence of a backdoor.
Famous backdoor attacks
There have been a number of high-profile backdoor attacks that have occurred over the last few decades.
In late 2020, a cybersecurity company called FireEye discovered an extremely serious backdoor hidden in updates for SolarWinds’ Orion network management software. The attackers, who are believed to originate at the nation-state level, used SolarWinds to facilitate an island hopping attack that installed malware on Orion customer networks in order to gather intelligence. The United States Cybersecurity & Infrastructure Security Agency (CISA) believes the attack began as early as March 2020 and that not all compromised organizations were actually targeted by the attacker for follow-up actions.
In early 2021, a Dutch cybersecurity firm discovered a hardcoded backdoor secret account in Zyxel firewalls and access point (AP) controllers. The secret account allowed the attackers to give themselves administrative privileges, including the ability to change firewall settings and intercept traffic. The backdoor exploited a vulnerability in the credentials used to update firewall and AP controller firmware.
Another noteworthy attack was called Back Orifice. Back Orifice, which was created in 1999 by a hacker group that called themselves Cult of the Dead Cow, took advantage of vulnerabilities in the Windows operating system (OS) to install backdoors that allowed remote control of Windows computers..
Backdoors are not always software based, nor are they always created by rogue hacker groups. In 2013, the German news outlet Der Spiegel reported that the NSA's Tailored Access Operations unit maintained a catalog of backdoors to implant in firewalls, routers and other devices to be used overseas. The NSA also allegedly incorporated backdoor capabilities into individual hardware components, such as hard drives and even USB cables.