According to a report in the Washington Post, the U.S. government has "evolved" its thinking on backdoors. It's not looking for a "golden key" anymore. Instead, it's now considering requiring companies to give it remote access to the targets' devices through automatic updates to users' devices and software, making them implement special encrypted ports in hardware that gives the government access to devices, setting up a system of split-key backdoors (so like a "golden key" broken into multiple pieces), or forcing them to backup users' data when they are not paying attention.
Malicious Automatic Updates
From the report, it appears that the U.S. government would like to be able to force companies to send malicious updates to users, through the automatic update systems that many products incorporate these days, including Windows, Mac OS X, iOS, Android, Chrome, Firefox and so on.
This could validate a fear that "non-expert" users had earlier this year in a study concerning automatic updates that could be hijacked by the U.S. government. However, at least officially, this is not the policy or law just yet, but law enforcement officials consider it as one of the official solutions for getting encrypted user data.
Government officials also seem to recognize that this solution could lower trust in companies, and many users could start disabling the automatic update features on their apps or operating systems. This is often trivial to do, and given enough awareness, it's likely that such a solution to hack users and get their data could soon become obsolete. At the same time, it would make everyone never trust automatic updates again, exposing them to other security risks.
Encrypted Physical Ports
The officials also suggested that companies offer encrypted ports to their devices, and the companies would unlock their devices with those keys when the government requests their assistance. Of course, this is technically a backdoor that would make the encryption of devices much more complex. The companies would have to ensure the data is encrypted with the users' keys, but also their own, which would further introduce weakness into the system, that could be exploited by others who steal the devices, or even through remote hacking.
Such a solution would also increase the cost of the hardware for companies, which basically translates to users paying for the privilege of having backdoors in their devices. If such a solution is mandated in the U.S., many may start importing their devices from other countries.
Forced Backups
Another approach the government has been considering is the idea of forced backups. The companies would have to take people's files from their devices and upload them to a different location where the government could access them, unencrypted.
However, the officials once again recognized that this could include a significant redesign of the companies' systems. The uploading of the data would also have to happen without the targets realizing their data is being uploaded in the cloud. If it's gigabytes' worth of data, then it would only have to be done through Wi-Fi, but even then it could kill much of the device's battery life or slow down performance, which would clue users into noticing that something is amiss.
One of the weaknesses of the "end-to-end" encrypted iMessage for instance, is that it automatically backs up all the messages to iCloud, with no way to turn off syncing, unless you completely disable iCloud syncing. Experts warn that all cloud storage is also vulnerable to Sony-style hacking, and despite the fact that many companies offer such services today, it's far from an ideal solution for keeping user data safe.
Split Golden Keys
Although the FBI has changed its discourse from a few months ago by saying it doesn't want a golden key anymore, one of the solutions is to have a key split into multiple pieces, with the keys to be recombined only under a court order. However, it's not clear how this would work in practice.
Plus, as we've seen with the OPM hack, it's not clear that even having multiple parts of a key spread across different agencies or people would work very well. For this to be practical for investigations, the key pieces would likely have to be owned by hundreds of people, if not more. This leaves much room for those employees to lose the keys by getting hacked by nation states that know those keys could give them access to the data of millions of Americans.
Security Weakening Front Doors
Although all security experts seem to call these "backdoors," U.S. officials have rejected this term, preferring instead to say that they are "front doors." This differentiation seems to come from the fact that the government believes a backdoor is something that has to be hidden, while this would be a transparent solution that everyone would know about.
However, for all intents and purposes, it would technically function the exact same way, and this is likely why security experts call them "backdoors." Whatever the nomenclature, though, they both end up weakening the security of a system.
The government also seems to act as if the digital world has "pretty good security," and it's worth weakening a little bit in order to serve law enforcement data requests. However, many security experts say that, in fact, even the most secure systems today are still quite vulnerable to hacking by sophisticated attackers, so if anything, companies should keep striving to increase the security of their systems, not weaken them. This is true if we simply look at how many hacks have happened in the past few years at major corporations that are supposed to have enough money and resources to secure themselves.
Follow us @tomshardware, on Facebook and on Google+.
