Does Your Device have a Universal Backdoor?

Many pieces of modern software, including commonly used mobile phone operating systems, include a mechanism that allows the software provider to remotely access and control the device running the software. This “universal backdoor” cannot be disabled without disrupting important functionality of the software.

What am I talking about? I explain below.


We generally say that software contains a backdoor if the software provider or some third party can remotely access and control that software. Sometimes that’s OK, as with enterprise technical support software that lets the helpdesk remotely re-install a printer driver. But generally we expect the software on our personal devices like PCs and cellphones to not contain backdoors at all.

Unfortunately, many pieces of commonly used software do allow the software provider to remotely access and control the software. They can even do what’s commonly considered one of the most serious security breaches: arbitrary remote code execution. For example this applies to Google Android, Apple iOS, Microsoft Windows, Google Chrome, and Mozilla Firefox.

If you’re running any of this software in its recommended configuration, then the software provider can look you up by name and remotely access and control the device you’re using to run it.

How? Simple. Each of these pieces of software have two features:

  • Built-in Automatic Updates
  • Centralized user accounts

As Richard Stallman pointed out a while back when complaining about proprietary software, automatic updates can be dangerous. The whole point is to download a new version of the program from a server controlled by a software maintainer and then run it. Hopefully the new version contains bugfixes, but it could also contain anything else including malicious features. It could upload your personal files, or stream your camera to a web page, or whatever. Stallman called this the universal backdoor.

Software licensing really isn’t the concern here though. Updates for both Free/Open Source programs and proprietary programs tend to be distributed as binaries. Source code availability and reproducible builds provide a mechanism to detect these attacks, but patches for popular proprietary software tend to get decompiled by security researchers looking for unpublished security fixes.

If any major software provider shipped an update to everyone that exposed a remote access backdoor, people would notice. And that’s our defense against automatic updates as a universal backdoor, if a provider used this mechanism to actively backdoor everyone then they’d get caught.

But that brings us to the other feature: Centralized user accounts. If users sign into the software, then the provider no longer needs to send the backdoor update to everyone. They can send targeted updates to specific users.

It looks to me like automatic updates are pretty safe if they’re anonymous. But anything that eliminates that anonymity - including telemetry features that potentially expose user identity - turns them into a targeted backdoor. Keep in mind that pretty much any data is potentially identifying, so software shouldn’t be sending any user-specific or user-specific data to vendor servers.