Spartak - Fotolia
In this week's Risk & Repeat podcast, SearchSecurity editors discuss the FBI's continued criticism of encrypted devices and the risks of vendor-created backdoor access points.
The discussion over backdoor access in IT products received more fodder this year thanks to the FBI and Lenovo.
First, FBI Director Christopher Wray said that encrypted devices that can't be unlocked by law enforcement are a "public safety issue." Speaking at the FBI International Conference on Cyber Security earlier this month, he said the FBI currently possesses nearly 7,800 locked devices that it can't access despite having warrants. While Wray said the FBI is not looking for backdoor access to devices, he criticized the technology industry for not pursuing a "responsible solution" to the problem.
Then, shortly after Wray's comments, Lenovo issued a security advisory announcing it had found an authentication bypass mechanism in the Enterprise Networking Operating System (ENOS) software that runs some of the computer-maker's switches.
The bigger problem, according to the security advisory, was that the mechanism was named HP backdoor; Lenovo discovered it had been placed in ENOS in 2004 when the software was owned by Nortel Networks following a request from a Nortel OEM customer. However, it's unclear why Nortel decided to add a backdoor into the OS and if HP refers to Hewlett Packard Enterprise.
Lenovo's security advisory adds a wrinkle to the debate over strong encryption. Does Wray's criticism of technology companies have merit? How could the HP backdoor go unnoticed for so long? How common are vendor-created backdoor access points in popular technology products? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.