gosphotodesign - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How to tell a security backdoor from a vulnerability

Security backdoors and security vulnerabilities can often be confused with one another. Expert Michael Cobb offers guidance on distinguishing the two.

IT security professionals can be very pedantic. It can make meetings a little tedious, or take them off topic:...

querying someone's use of the terms vulnerability, risk and threat, or interrupting when someone refers to a virus when it's technically a worm. The application of the term "backdoor" to certain types of vulnerabilities can certainly spark a heated discussion at the moment, due to the growing debate over encryption and government spying. This tip explores the differences between a security backdoor and a vulnerability, and when it's appropriate to label something as a true backdoor.

Classifying security vulnerabilities

There are plenty of definitions of the term vulnerability as it relates to computer security, but the National Information Assurance Glossary produced by the Committee on National Security Systems covers it reasonably well: "Weakness in an IS, system security procedures, internal controls or implementation that could be exploited." Note that a vulnerability can exist not just in software but hardware, a physical location, a process or anything that plays a role in an IT environment and could allow an attacker to reduce its information assurance.

These are clear attempts to intentionally install backdoors in order to gain unauthorized access for malicious purposes, but some instances are far subtler.

Not all vulnerabilities have equal impact though, and vulnerabilities in software are usually ranked by severity to help system administrators prioritize mitigation strategies. The National Vulnerability Database provides severity rankings of Low, Medium and High, while Microsoft uses Low, Moderate, Important and Critical. Vulnerabilities in software occur due to a wide variety of reasons: design flaws, logic flaws, unanticipated risk and programming errors among others, and despite the use of security development lifecycle assurance frameworks, vulnerability scanners and code analyzers, software written by humans is never going to be perfect.

Vulnerabilities are often introduced when ease-of-use is given priority over security. For example, some programs purposely include code, such as a hardcoded username and password combination that allows administrators to bypass the program's normal access controls and gain access to the system. It was quite a common practice in the early days of computer networking to allow vendors to service client installations without having to be physically on site. These are purposely engineered security backdoors into a program.

Identifying security backdoors

Although deliberately included in a program for legitimate use, these backdoors are a huge security risk because anyone else who discovers them can access the system on which they are running. Certain vulnerabilities in a software program or configuration can also unintentionally create the same effect as a backdoor. Debugging code, for example, can sometimes reveal passwords and cryptographic keys if they were not removed from the release version. Even a default password can allow unintended access if it's not changed by the user.

Cisco's in-house engineers recently found that a default user account was created when any of its Aironet 1800 series devices were installed. This is a vulnerability, not an intentional security backdoor. It could only really be called a backdoor if Cisco's management had endorsed the feature or code that intentionally made the system unsecure. It's a serious vulnerability nonetheless, as an attacker could log in to the device by using the default account to gain unauthorized access to the device. Fortinet's FortiOS operating system that contained hardcoded login credentials is a similar situation. On Fortinet's blog, it said "this vulnerability is an unintentional consequence of a feature that was designed with the intent of providing seamless access from an authorized FortiManager to registered FortiGate devices. It is important to note, this is not a case of a malicious backdoor implemented to grant unauthorized user access."

The Cisco and Fortinet vulnerabilities are both cases where a vulnerability allowed unauthorized  access to a device, but a true backdoor is created intentionally. One method used by hackers is to trick a user into installing software that then downloads a program such as BackDoor.Yebot, which gives the hacker unauthorized access to the machine -- a backdoor. Some computer worms, such as Sobig and Mydoom, can also install a security backdoor on the computers they infect.

These are clear attempts to intentionally install security backdoors in order to gain unauthorized access for malicious purposes, but some instances are far subtler. A tiny two-line code change added to the Linux kernel in 2003 wasn't an accidental typo, but an attempt to create a backdoor. There was no record of approval for the change, so someone had clearly broken into the source code to insert the change. It's still not certain how unauthorized backdoor code made it into Juniper Networks' ScreenOS software. The National Security Agency (NSA) is the prime suspect but the backdoor worked because Juniper used a modified cryptographic algorithm that was known to have been weakened by the NSA.

In a nutshell, vulnerabilities aren't deliberately created, and any adverse impact on security or access is unintentional. A security backdoor on the other hand, is created intentionally and is always a serious vulnerability, whether it was designed with malicious intent or not.

Next Steps

Read more on the Juniper firewall backdoor controversy

Learn about how backdoors can affect Wi-Fi security

Find out if an Apple iOS issue was a vulnerability or backdoor

This was last published in March 2016

Dig Deeper on Risk assessments, metrics and frameworks