The recent hubbub in politics about security services back doors into end-to-end encrypted messaging service has got me thinking. Putting aside the issues of technological impossibility, as we enter into a world in which more and more devices are connected, a storm of questions about the morals, ethics and necessity of back doors into things could well make the WhatsApp question look like a minor query.
If physical security systems are connected, should the police have a back door? If cars are connected (and automated) should the security services have the right to take control? At what point does connectivity allow the right for someone else (state, service provider, next of kin…) to call for the right to take control?
Yesterday I happened to stumble across a video of infamous hacker Kevin Mitnick explaining how to circumvent two-factor authentication systems that are used by the likes of banks. I was fascinated. Had Mitnick managed to circumvent what appeared to be a fairly solid form of security?
Well, the answer was yes and no. The two-factor service remained technically intact. No digital back door was to be seen. But through social engineering he had overcome it – he phoned up a telcoms company pretended to be the person he was attacking, and got them to send him a new SIM card. Simple.
It’s that kind of approach that security services need to (and I’m sure are) adopting to rise to the challenge of encryption for the masses. Technical back doors aren’t feasible. But social ones are…