Encryption backdoors will be abused by criminals, warns Ross Anderson

Cambridge University's Ross Anderson compares Apple vs FBI case to recent Juniper hack, and calls for international co-operation concerning government data requests

Government demands that backdoors be inserted in encryption products so that spies can hack them have been criticised by a leading security expert.

Ross Anderson, professor of security engineering at the University of Cambridge Computer Laboratory, said that these deliberate vulnerabilities could make life easier for governments, but they also make life easier for cyber criminals.

Anderson referred to 2015's vulnerability found in Juniper's Netscreen firewalls, thought to be the work of the US National Security Agency (NSA) or the UK's General Communications Headquarters (GCHQ).

"The backdoor in Juniper was presumably put there by the Americans, but people outside started using it to hack the US. That's the problem with creating backdoors: other people find them and start using them."

"We went through this whole encryption argument in the '90s," continued Anderson. "Cars were easy to steal because the remote key entry systems used to open them were easy to break. And that was because it was specified that they had to have 40-bit keys so GCHQ wouldn't have too much difficulty getting in. Now, of course, crooks don't have much difficulty either."

Anderson also cited the FBI vs Apple court case, where the FBI demanded that Apple help it crack the security on a terrorist's iPhone.

"It's not just about the debate about the FBI and Apple case; governments are now also interested in data at rest, so that's your emails sitting on Google's servers. The same problems apply - if you make it routine [to be able to access that data], then it will be widely abused.

The Investigatory Powers Bill, which recently passed its second reading in UK Parliament, provides for government access of data in this way.

Anderson pointed to a further problem where governments of different countries set conflicting laws, making it impossible for individuals or organisations to comply.

"You end up with large numbers of conflicting laws," said Anderson. "Alice makes a law saying a company must give everything to her and not Bob, while Bob says give it all to him and not Alice. Zuckerberg can then only enquire which country has the most comfortable prisons, or he says 'sod off and speak to my lawyer'.

"Then Hannigan [Robert Hannigan, director of GCHQ] complains about it taking so long to hear back from Facebook [when he requests sensitive user data], but that's because he's pissed them off so they just delay."

Anderson concluded by calling for greater international co-operation, and a harmonisation of disclosure laws.

"It's big, complex and messy, but it's fundamentally about jurisdiction and legislative overstretch. What's needed is an international treaty on cyber evidence," he said.

Security is a key aspect of the Internet of Things - and Computing's Internet of Things Business Summit 2016 is the event to find out how security can be baked-in to your organisation's Internet of Things strategy. What's more, it's FREE for qualifying end users, so register now.