Hacked - Episode 5: Backdoors, Apple, and the FBI
Episode Date: March 10, 2016We explore the history of backdoors and discuss Apple vs FBI. Jordan tells stories and interprets the nerdiness of Scott. Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
By midnight, Hatton Street in London is quiet.
Not dead, but quiet.
It's a nice enough neighborhood.
It's mostly businesses.
There's some interesting history.
But at midnight, that's the thing you'd notice most.
It's quiet.
But say you were there last year, on a summer night in April at about 12.15 in the morning,
well, exactly 12.15 in the morning.
This particular night has been studied to death.
At 12.15 in the morning, you might have heard something that you would have heard nowhere
else in London. If on April 22nd, he'd pressed your ear to the concrete at 12.15 in the morning,
you would have heard the sound of a drill. A low rumble as four men cut a back door into the
vault of the Hatt & Garden Safety Deposit Company. Over the course of this weekend, these men,
the youngest of whom was almost 60 and the oldest almost 80, stole 14 million pounds in jewelry, gold,
and cash. They didn't crack the vault door. They made their own door. A backer to
backdoor with a 30-pound drill through five-foot concrete.
This idea that if the front door is just too tough to crack, you make your own backdoor,
is the goal of most computer viruses, bugs, and worms you've probably ever heard of.
If they can just get a backdoor into your otherwise secure system,
a hacker can come and go as they please,
even as you look at the front door and say, yeah, yeah, that looks secure.
So what can you do to keep out the viruses that let in the drills that bore in the back doors?
Well, you beef up security of the whole set up.
You need up security of the whole system.
You install a firewall, you make that wall even thicker.
Which is why, if you're a hacker in 2016,
you don't really go after users anymore.
You go after the firewall they're using to keep you out.
You install a backdoor in the thing they're using to keep up back doors.
And you just wait and see how long it takes for someone to notice.
My name is Jordan Blumen.
And I'm Scott Weinder.
And this is software backdoors on this very timely episode of Hacked.
If hypothetically you had ever hacked a computer, Scott, would hypothetically you have ever left a backdoor somewhere?
What's a back door, Jordan?
I don't know, you tell me.
Hypothetically, yes.
You know, hypothetically, back in the day, as a troubled youth, you would, when you'd get access to a server that you weren't supposed to have access to,
often you'd leave something that allowed you to come back.
So even if you hacked it and, you know, maybe you've changed a password at this point
or something that an admin's going to realize and fix,
you might still leave something that lets you come back.
So you've done something really difficult,
you've gained access to this thing that doesn't want you to have gained access to it
and you leave behind a way in.
You've literally put a little tiny little backdoor that only you know about into this building.
Yeah, so like the whole idea of a back door is, is it's not the front door.
You don't need the key.
You're coming into the patio door that nobody locks.
You've got your own private entrance.
You're the mouse coming through the little hole that no one knows about.
So is that how this whole thing started?
Just one individual trying to get into someplace that they're not really supposed to be?
In, you know, the history that I would tell yes.
It would start with back doors were a way that once you've gained.
access to something, you would put a back door in it to let you come back.
You know, that's kind of the first thing. It's like back in the early days of cybercrime,
when you hacked into something and you weren't supposed to be there, you know,
you might not create yourself a user account that they would like be able to see and be very
obvious. So what you would do is you would put something that let you come back whenever you want
to super user privileged accounts. So you'd never have to. So you'd never have to,
to hack that computer again, but you'd always have access to it. Does that make sense?
Yeah. So even if someone knew that something had happened to their system and they think,
oh, I fixed this problem, that initial problem is still persisting because that person's
kind of coming and going in the night as they please. When did it start evolving beyond that?
The big change happened when it went from gaining access to a server was tough.
And like, we'll do an episode later on something called Smashing the Stack. And like,
exploits, like coming up with exploits is not child's play. But backdoors were kind of child's play.
Like a backdoor wasn't too difficult. Like once a computer had a back door, anybody could come through it.
That knew it was there. So all of a sudden there was a little bit of a mind shift in hacking that went from, okay, I hack and I gain access.
And then I leave myself a back door to come in to just being like, hey, if I can trick somebody into installing a backdoor with a
them knowing, I can walk through that. I don't have to hack anything. I use the ignorance of the
end user to give myself the hack and the back door all at the same time. So at that point, it just
becomes kind of a law of large numbers thing, where if you put enough of these ruses out there
into the world, a certain number of people are going to fall for them and a certain number of
people are going to install these back doors for you. Yeah, and the beauty of it is is that, you know,
there's a lot of ruses out there. There's a lot of ways to...
to put these tricks into things.
Piracy, like one of the big parts of piracy
is that you never really know what you're installing.
You're getting it from some sketchy place on the internet
that some sketchy person's put up.
You have no clue what's on it.
You know, you just blindly trust that you're installing whatever,
Adobe's new creative suite or whatever you're stealing.
And you don't know what's bundled with it.
This style of attack is typically referred to
as a, you know, a Trojan horse,
you know, kind of referencing how the good...
Greeks entered the city of Troy by packing soldiers inside of a large wooden horse.
And at night, when everybody went to sleep, the soldiers filed out of the horse and went to attack.
And the same kind of thing happens here, where you download and install something
and bundled up with it is a backdoor that some hacker can get access to.
And these back doors aren't even just quiet.
Some of them will do callbacks.
So, like, they don't know where these are going to land.
So when you install it, it'll actually ping out to the Internet and say,
hey, I'm IP address, you know,
1111.111.111.111.1.1.
I still can't believe you got that IP address.
And I have this backdoor now.
You know, hey, I'm here. Come in.
The keys under the rock on the back porch.
So that's one way of casting a really, really, really wide net.
But what are some other ways you might go about
trying to get a backdoor into someone's system?
Maybe someone that doesn't dabble in piracy
or isn't tech savvy enough to dabble in piracy?
There's a ton of ways, like, you know,
to install Trojans, you know, fishing is a very common one, you know, going back to email spoofing,
sending a false email and having somebody download and install something or auto run from last
episode is another great way that these would have spread is, you know, if you drop in a CD or a USB
key that has some files on it, even though it could be legitimate installers, it could also at the same
time just like pop in this little backdoor software. You know, these are things that we trust our
antivirus software is to keep us from. A lot of this.
time, but they don't always work.
Especially when we tell them not to work because we think we're installing something that
we want on our computer.
Correct.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone, somewhere saw something too late, an alert buried, a signal missed, an SOC that just
couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the
ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works,
with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment
instead of generic assumptions.
The automation frees your concierge security team
to focus on higher value strategy and proactive risk reductions
while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations
actually looks like, go to arcticwolf.com slash hacked.
It's funny, the more you look into this whole world,
the more it seems like so many of these things like bugs, viruses, worms are all out there in the world working in service of getting a backdoor onto your computer.
Yeah, and there's some great examples of this with like distributed denial of service attacks and botnets.
So once somebody's got you to install this little backdoor, there's an agent.
So like a little piece of software running on your computer that's taking commands from somebody else in the internet.
And that's the big thing is like, you know, if you want to, you want to be a little piece of software running on your computer, that's taking commands from somebody else on the internet.
And that's the big thing is like, you know, if you know, if you want to
want to attack sony.com and you've got four million computers waiting to do whatever you tell them to do.
It's really easy.
And these little bot net agents are essentially Trojan horse onto your computer with malware, piracy that you download,
you know, vulnerabilities and certain plugins like Flash.
You know, there's a bunch of different ways that these things find themselves under your computer.
But once they're there, you know, someone else has full control or can have full control.
So far, this has all been driven by software whose author was trying to leave a backdoor on your computer, who's trying to expose the user to a vulnerability.
This is a leading question, but does the creator of the software always know that they're exposing the user to a vulnerability?
Or could they have been tricked?
Well, there's definitely instances of backdoors existing and people not knowing that they were there, if that makes sense.
the, you know, there's been a bit of a shift in the quote-unquote nation-state style hacking world
where you're seeing things like VPN service providers, like firewall companies, like software
providers, even Apple, their software development kit, the SDK that allows you to build
Apple applications to go on iPhones.
you're seeing some really, really high-level hacks
where people are actually hacking into product manufacturers
and building in backdoors into their code
without them knowing.
So all of a sudden these things roll out
and whoever put that little malicious piece of backdoor code in it,
similar to that hypothetical teenage boy
putting a module into the send mail system
that allows him to get access,
you're seeing major hacking groups,
potentially nation states,
building back doors into really widespread pieces of software.
So all of a sudden,
anybody running this firewall is vulnerable to the person
that put the back door there.
All of a sudden, anybody running this VPN software
is vulnerable to the person that put the back door there.
It's things like that that are the massive shift.
Instead of one person attacking one target, you're getting one person or one group attacking thousands of targets.
So instead of getting someone to install a piece of what they think is legitimate software, but actually has a backdoor in it,
they're just going after the manufacturer of the actual legitimate software, putting the backdoor in at that level, and then they ship it for you.
Right. Instead of bundling the Trojan horse with whatever you're downloading, pirating, et cetera, et cetera.
accidentally auto running, they're putting it in the actual software.
So suddenly your backdoor has a marketing budget and a sales team and branding and TV commercials.
Right.
So some of the things that you just described, there are things like firewalls and VPNs,
those are things that are designed to keep you safe.
So if we've gotten to that high level where we started with infiltrating one person system,
and then we got to a point where we're talking about infiltrating a bunch of people's systems,
and now we're at a point where we're talking about infiltrating the people's systems,
who make the stuff that stops you from getting infiltrated, how do the manufacturers of software
then intend to stay safe if the products that would keep them safe are the ones that are being
compromised?
I think that's why those have been chosen as targets.
It's kind of the top of the pyramid.
You know, if you want to hack into a major corporation and they're well protected and have a massive
budget and great security team and all the rest of this jazz, it's going to be really hard.
Like, it's not going to be easy without, you know, people messing up, which is how 90% of good
hacks happen. And when I say good, I mean impressive. So if you can take out some of those roadblocks
that this great, highly priced IT security team is built, if you've already got a hole carved in
their firewall, or a hole carved in their encrypted VPN, or a hole carved in, or a hole carved in,
you know, whatever else they're looking to stop you with, their antivirus program.
It makes it a lot easier for you.
It's a fascinating world, so.
It's a very, it's an approach that wouldn't really have worked on any other scale,
but a digital scale, because it's not like, it's like instead of trying to crack a vault,
instead of even trying to cut your own backdoor, you're just going to the vault manufacturer,
making a backdoor there and stealing the master key.
And the, you know, your reference to the master key.
key is very accurate.
You know, it's, I wouldn't say it's well documented, but it's well known that a lot of software
companies build in their own backdoors for testing, for whatever.
You know, it's not uncommon, and it's been found, like a lot of pieces of software have
been found that have a master password.
They have a key.
The vault has one key that opens every one of the vault.
The vault manufacturer made a key that.
that will open all of their vaults.
You know, that does exist.
That has been found.
Hackers have found master keys buried in source code before.
Speaking of software backdoors, if you think you can find one,
bugcrowd.com has a bunch of partners who will pay you to do just that.
Bugcrowd.com runs bug bounty programs allowing the security curious
to hunt down bugs and vulnerabilities in some of the world's biggest companies,
companies like Tesla and Pinterest and Dropbox.
So if you want to challenge yourself and make some money at the same time,
you should really check Bug Crowd out.
And if you're a company and want security of the same league as, you know, Tesla, Pinterest, Dropbox, you know, we're looking for a partner.
And we want to run a special hacked challenge where the prizes won't just be, you know, some money, which we think is fair at people's time.
But they'll also include special edition.
Talking about hacked swag?
Yeah, I'm talking about like hack graft.
Like merch.
Yeah, like, you know, like a, like a wicked crewneck.
Sure.
Sweeter.
Kind of that sketchy gray color that the kids like these days with, you know, like a hacked logo on.
I mean, really, how can you say no?
Visit bugcrowd.com slash hacked to learn more.
When it comes to writing software, like I've written a fair chunk of software in my life,
and it's really tempting to put a master password in, especially when you're just deving, like for dev use.
the it's literally like three lines of code
because you've got to remember that like if you go back to our problem with passwords
you're taking in the password you're hashing or encrypting it and then you're comparing that
against the hash so like the software code there is you know get input value for the password
field encrypted compare against database object and then return true or false if you have a master password
you just have another line above that that says
if input value equals
Jordan's master key
return true.
Like it's so easy to add a backdoor at the code level
that I'm sure
I'm sure there's more backdoors out there
that we just don't know about
because it would be very easy
or it is very easy
and it's generally very useful to have.
There's been a lot of talk lately
about backdoors and the relationship
between Apple, the FBI
and the phone of the San Bernardino shooter.
So what exactly is the FBI asking for and is it actually a backdoor?
I don't think it's actually a backdoor in the encryption that they're asking them to create.
All they're really asking is for them to remove some of the safeguards that prevent them from brute forcing the password.
So if you go back to episode three, we talked about the idea of trying to mass guess passwords.
And one of the preventative measures of that is, is between every failed attempt, the timing gets longer.
You know, it's a five-second delay after the first attempt, a 10-second delay after the second attempt.
And after 10 attempts, you know, you can't guess anymore.
Or the phone formats itself, which is the problem with this one.
So they're not really asking for them to build or construct an actual backdoor.
They're not asking for a master key.
they're just asking them to let them brute force this person's password.
Which is to say just guess over and over and over again.
Yeah, like they're asking for the system to be modified to allow them to better break the security,
but they're not asking for them to break the security.
Apple's already provided them with the ICloud backups of the phone,
so the data's not secure.
If Apple has access to the data, they're willing to provide that.
So the information has already been handed over.
They just want the most recent copy of what is on the phone.
And one of the articles that I read,
and I'm just citing this article randomly,
I don't know how much truth there is to it,
but the FBI actually reset the ICloud account password
for the phone, so the person who had the phone,
they changed his password in an attempt to get access to the phone.
And by doing so, they actually removed Apple's ability
to force a backup of the phone
because they need to actually key in the new password into the iCloud settings on the phone.
So had they not reset the password, Apple could have forced a backup of the phone and then given them the new data.
So it's not like we're trying to protect people's information here.
They're just asking for a way to let them bypass some of the protective measures.
So on one hand, Apple already kind of had a bit of a backdoor if they had the ability to force a backup.
Yeah, it's actually, given what I've read, it's surprising that Apple doesn't have access to this information.
It sounds like they have a bunch of control over this device, even though they don't have the password for it.
So that, to me, is essentially a remote administration backdoor.
If they can force a backup, force a software patch, force whatever, I don't know how they can't just access the data on it.
To me, that's shocking.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded,
and most importantly,
what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
But on the other hand, if they were to develop something that could force the phone to respond to a digital brute force attack as opposed to a punching it in, wouldn't that effectively function as a backdoor if someone else could implement the same thing?
Technically no. To me, it's not a backdoor. A backdoor is a master key. If Apple says, oh, all phones will unlock if you push 555-4123, that's a back door.
So they're not asking them to create a backdoor, they're asking them to create a vulnerability.
Right, yeah, exactly.
So there's been a lot of discussion about how this legally plays out.
And I'm by no means a lawyer and intellectual property.
So I can't really gauge how expansive the decision in this case could be.
But to me, a lot of people are drawing the lines between this case and backdoor in encryption,
which is something that's long being discussed.
and there's, you know, kind of rumors that the NSA has backdoors and standard types of encryption already,
that's a much bigger thing.
So that means that if I actually take my information and encrypt it, you can unlock it without my key.
And if my key is long enough to be really big, then you'll just probably never get it.
And a backdoor and encryption allows them to bypass that.
It says, you know, if this key is NSA rules, you know, exclamation point.
exclamation point, unlock immediately.
And encryption's a different beast because it's highly based on math, so backdoors in it are
much more complicated, but this is not, to me, a backdoor.
This isn't them backdooring into your information.
Like, Apple's already giving up the data.
They're already, you know, playing along.
So this is just a, it's a weird situation.
So if the takeaway from this is that the easiest way to stop a backdoor from getting on
your system is to really just not install stuff that could come from a malicious source.
Don't install software that came to you from an email from someone you don't recognize.
Definitely do not install anything that downloads just on its own.
If you're ever on a website and it downloads an executable to your computer, never.
But it says I need it to stream episodes of friends.
Never, ever.
Why are you pirating episodes of friends?
But that only takes you so far because that's kind of how you prevent the easy way of these backdoors getting on your system.
How do you prevent them from getting on your system when they're coming from trusted sources?
If you can't trust a firewall manufacturer, a company that makes stuff that's expressly designed to stop sketchy things from getting on your system, what can you trust?
I think we're doing it again. We're scaring everybody again.
Are we?
There's no way to stop that stuff.
and it's scary even to me.
Like, I don't get scared by these things.
I just accept them as reality.
But people are getting smarter.
Hackers are getting smarter.
Nation states are getting smarter.
The cyber war will come.
And things like this are in the toolbox of the people that are going to fight that war.
They're not playing with, you know, getting your buddy to install a piece of malware
that lets you, like, turn on his webcam.
These people are playing with, okay, if a piece of software that sits on your computer that makes sure that everything is, you know, signature checksummed authorized is going to prevent us from having a future attack, it's going to change the way that our attack chain can work.
Well, what if we just hack that piece of software?
And then we can tell it that our illegal software is now, you know, validated, secure, good stuff.
it's a fascinating thing that's going on right now.
If we hadn't scared people before dropping the word cyber war probably cinched it,
is it maybe about recognizing that this is just sort of going to be part of the texture of day-to-day life,
if day-to-day life is going to be digital, that this sort of ongoing spat on the far side of that industry,
it's just going to be a thing that is going to happen.
We're going to hear about it.
We're going to be exposed to vulnerabilities.
and I guess I don't even know, hope that the good side wins.
Like, I don't know what conclusion to reach from that.
Well, it's, you know, this is turning into a dystopian novel, but, you know, 70 years ago
to disrupt a country's economy, you know, it was a big thing, you know, it was war,
it was, you know, terrorism, it's all these things.
A good hacking group can do that in like 45 minutes.
You know, that's a, if you've got to, you know,
a pretty big attack structured out and you can
cause things to go down.
Like, imagine
turning off the New York Stock
Exchange. Like, what's
that going to do to the market?
Sentiment's going to go away. The second that they know
that it's that vulnerable and can be hacked,
investors are going to get afraid.
You know, it's going to have a
ripple effect that will be hard
to measure.
And as everything moves
online, our communications,
you know, the fundamental
base of how we operate as people changes.
It's interesting.
It's interesting the way we talk about it and the stakes we associated with it because at the
end of the day, it's not a bomb going off.
It's nothing physical being destroyed.
If the attack is femoral, isn't the damage of femoral?
When was the last time you forgot your phone at home?
Yeah, fair.
That's just your phone.
Now, imagine all of the stuff went away.
Imagine the power grids went down.
imagine like that there's a real
tangible hack that happened
I believe it was in the Ukraine recently
where a bunch of hackers
shut down power grids
so imagine data communications
which is voice communications
now goes down
the only thing that's not going to go down
is radio waves
so all of a sudden
we're listening to AM radio again
and that's just to get updates
you know this is if you've got a battery powered radio
right so it's not just about
you know your Facebook profile
it's the fact that dams are controlled by
computers. It's the fact that water sources are controlled by computers. It's all controlled by
computers. Yeah. So yeah, really not trying to scare you that don't drink the tap water.
Apple versus FPI. Yeah, I don't know how we got there. But we always do. I'm sure there's a
computer that controls the amount of fluoride that goes into our drinking water. I sure hope so. I hope
it's not a dude with a beaker. But at the same time, a dude with a beaker can't get hacked. You can be hung
over, but he can't get hacked.
Right.
Damned if you do, damned if you don't.
Crazy.
The world we live in.
There has been a lot of discussion lately about backdoors, and whether or not that
term is kind of accurate as it applies to the Apple situation, the dialogue surrounding it
is still valid.
It is still worth having, and it's a conversation we'd love to have with you.
So please fire us a message.
Write us an email at get at hackedpodcast.com.
Put us on Twitter via it's at hacked podcast or on Facebook where you can just
search Hacked podcast.
Let us know what you thought of the episode,
how you feel about the Apple case,
or just a high-five Luca Harrison
for being our 2000th like on Facebook.
You're the real hero, Luca.
My name is Jordan Blumen.
And I'm Scott Winder.
And thanks for listening to this episode of Hacked.