White House considered bypassing encryption with malware disguised as updates

White House considered bypassing encryption with malware disguised as updates

By Russell Brandom on September 24, 2015

How do you serve a warrant on an encryption algorithm? For 20 years, governments have been struggling with that question, putting pressure on tech companies to build backdoors into security systems as the companies increasingly tell them it simply can’t be done. The tension has grown particularly strong after the Snowden revelations caused companies to tighten up, leading the government to look for ever more creative ways to break the deadlock.

A new report from The Washington Post details some of the latest ideas, including some that already have civil libertarians raising the alarm. The news comes from a draft memo from the president’s encryption working group, which was tasked with finding solutions that would be acceptable to tech companies and law enforcement alike. The result isn’t intended for public consumption, but it shows just how far we might need to go to appease law enforcement’s desire for backdoor access. The paper suggests four main proposals, including a forced backup system and a system triggered by combined consent from multiple parties. Another proposal suggested installing a special encrypted port that only the government would have access to.


The most controversial proposal was one that targeted the automatic software update system. “Virtually all consumer devices include the capability to remotely download and install updates,” the paper observes. It then proposes to “use lawful process to compel providers to use their remote update capability to insert law enforcement software into a targeted device.” It’s particularly ominous because the certificate system that protects those updates has been compromised before, most notably by the US-linked espionage malware known as Flame

Leave a Reply