Home ยป I found that the company I work for is putting a backdoor into mobile phones

I found that the company I work for is putting a backdoor into mobile phones

Solutons:


Just because they won’t use it, doesn’t mean someone else won’t find it and use it.

A backdoor is a built-in vulnerability and can be used by anyone. You should explain that doing something like this is very risky for your company. What happens when some malicious attacker finds this backdoor and uses it? This will cost your company a lot of time and money to fix. And what will your company say when people ask why the software contained that backdoor in the first place? The company’s reputation might be damaged forever.

The risk is certainly not worth having it in the code.

If you’ve informed decision-makers and they’ve decided not to do anything about it, then by definition your company is knowingly shipping a product with a serious security vulnerability. (And, I assume, hiding it from their customers.) This is a very serious matter. What’s the worst that a malicious person with access to this backdoor could do? If it’s bad enough, I would go to the FBI about it. (Or whoever has jurisdiction over computer security if you’re not in the US.)

If your company knows about the problem and doesn’t care, then exposing it is the only ethical course of action. And if they attempt to take retaliatory action against you, you may have legal recourses available, depending on the circumstances and the laws where you live. (Talk to a lawyer about that if you think it might apply in your case.)

Please, pardon my cynicism, but this isn’t the first and won’t be the last backdoor we see in our legitimate, hardly-earned apps and devices. Just to refresh our memory, we can start from the most recent one, the new Amazon’s Big Brother Kindle [1][2].

But we have an entire plethora of backdoored software and services, such as PGP Disk Encryption [3][4], ProFTPD [5] or Hushmail [6], to name a few.

And don’t forget the OSes: M$ is always ahead with its NSA_KEY [7][8], but also OpenBSD [9] and the Linux kernel [10] can’t be considered 100% safe. We also have paid attempts to gain a backdoor access to Skype by NSA [11], that, however, has been assessed as “architecturally secure” [12].

Moving down to firmware, nowadays we are almost acclimatized in having people from our ISP that are able to watch inside our routers (yes, maybe even see our beloved WPA password), but these [13][14][15] can surely be considered as backdoors too!

Finally, a few considerations on hardware and BIOSes [16], and (this is both funny and somehow dramatic) EULAs [17][18], because also lawyers have their backdoors.

Ok, given this preamble, I’ll try to answer to the question briefly. No, you’re not wrong getting mad for this thing, but you should focus your anger on the correct motivation. You should be angry because you lost a piece of trust towards the company you work for, not for the fact of the backdoor itself (leave this anger to the customers).

And if I were you, I’ll just be very cautious. First, I’ll make really really sure that what I saw was a backdoor, I mean legally speaking. Second, I’ll try in any way to convince the company to remove the backdoor.

You probably signed a NDA [19] with your company so your question here could be already a violation. However I don’t know where the NDA ends and your state law begins (it could be even customer fraud), and probably, due to the technicality of the subject only a highly specialized lawyer could help you with this matter. So, if you want to proceed, before doing anything else, even talking to the authorities, you should hire a very skilled lawyer and be prepared to lose a lot of time and money, or even the job.

Related Solutions

Why not use “which”? What to use then?

Here is all you never thought you would ever not want to know about it: Summary To get the pathname of an executable in a Bourne-like shell script (there are a few caveats; see below): ls=$(command -v ls) To find out if a given command exists: if command -v...

Split string into Array of Arrays [closed]

If I got correct what you want to receive as a result, then this code would make what you want: extension Array { func chunked(into size: Int) -> [[Element]] { return stride(from: 0, to: self.count, by: size).map { Array(self[$0 ..< Swift.min($0 + size,...

Retrieving n rows per group

Let's start with the basic scenario. If I want to get some number of rows out of a table, I have two main options: ranking functions; or TOP. First, let's consider the whole set from Production.TransactionHistory for a particular ProductID: SELECT...

Don’t understand how my mum’s Gmail account was hacked

IMPORTANT: this is based on data I got from your link, but the server might implement some protection. For example, once it has sent its "silver bullet" against a victim, it might answer with a faked "silver bullet" to the same request, so that anyone...

What is /storage/emulated/0/?

/storage/emulated/0/Download is the actual path to the files. /sdcard/Download is a symlink to the actual path of /storage/emulated/0/Download However, the actual files are located in the filesystem in /data/media, which is then mounted to /storage/emulated/0...

How can I pass a command line argument into a shell script?

The shell command and any arguments to that command appear as numbered shell variables: $0 has the string value of the command itself, something like script, ./script, /home/user/bin/script or whatever. Any arguments appear as "$1", "$2", "$3" and so on. The...

What is pointer to string in C?

argv is an array of pointers pointing to zero terminated c-strings. I painted the following pretty picture to help you visualize something about the pointers. And here is a code example that shows you how an operating system would pass arguments to your...

How do mobile carriers know video resolution over HTTPS connections?

This is an active area of research. I happen to have done some work in this area, so I'll share what I can about the basic idea (this work was with industry partners and I can't share the secret details ๐Ÿ™‚ ). The tl;dr is that it's often possible to identify an...

How do I change the name of my Android device?

To change the hostname (device name) you have to use the terminal (as root): For Eclair (2.1): echo MYNAME > /proc/sys/kernel/hostname For Froyo (2.2): (works also on most 2.3) setprop net.hostname MYNAME Then restart your wi-fi. To see the change, type...

How does reverse SSH tunneling work?

I love explaining this kind of thing through visualization. ๐Ÿ™‚ Think of your SSH connections as tubes. Big tubes. Normally, you'll reach through these tubes to run a shell on a remote computer. The shell runs in a virtual terminal (tty). But you know this part...

Difference between database vs user vs schema

In Oracle, users and schemas are essentially the same thing. You can consider that a user is the account you use to connect to a database, and a schema is the set of objects (tables, views, etc.) that belong to that account. See this post on Stack Overflow:...

What’s the output of this code written in java?

//if you're using Eclipse, press ctrl-shift-f to "beautify" your code and make it easier to read int arr[] = new int[3]; //create a new array containing 3 elements for (int i = 0; i < 3; i++) { arr[i] = i;//assign each successive value of i to an entry in...

How safe are password managers like LastPass?

We should distinguish between offline password managers (like Password Safe) and online password managers (like LastPass). Offline password managers carry relatively little risk. It is true that the saved passwords are a single point of failure. But then, your...

Can anyone tell me why this program go to infinite times?

while (i <= 2) { while (i > 0) { a = a + b; i--; <- out the inner while loop when i = 0 } printf("%d", a); i++; <- at here, the i==0 each time, so infinity loop } Because your nested loop always restores the value of i to 0, And 0 <= 2 is always...

How to conditionally do something if a command succeeded or failed

How to conditionally do something if a command succeeded or failed That's exactly what bash's if statement does: if command ; then echo "Command succeeded" else echo "Command failed" fi Adding information from comments: you don't need to use the [ ... ] syntax...

How to turn JSON array into Postgres array?

Postgres 9.4 or newer Obviously inspired by this post, Postgres 9.4 added the missing function(s): Thanks to Laurence Rowe for the patch and Andrew Dunstan for committing! json_array_elements_text(json) jsonb_array_elements_text(jsonb) To unnest the JSON array....