Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Hardware backdoors, vulnerabilities versus malicious backdoors, real-world examples like the XZ Utils and Copay wallet backdoors, and understand the threats posed by firmware and hardware trojans.

The word "backdoor" is not well defined. A vulnerability (or "bugdoor") can serve as a backdoor. Hence, many people use the terms vulnerability and backdoor as synonyms. This, however, confuses the boundaries between vulnerability and "malicious backdoors," for which a stronger word than just "backdoor" must now be used.

Innocent Vulnerabilities vs Malicious Backdoors How to Manage Your Risk

Bad (buffer overflow vulnerability):

char buf[10]; fgets(buf, sizeof(buf) - 1, stdin);

Good example pseudo code (not vulnerable to buffer overflow):

char buf[10]; fgets(buf, sizeof(buf), stdin);

Just a small code difference. Can be introduced by mistake, which happens a lot or intentionally.

Malicious backdoor pseudocode example:

# If the wallet balance is greater than 100, steal it.
if wallet_balance >= 100
  send_to_hacker("1HackerBTCAddressHere", wallet_balance)
end
# Otherwise, do nothing.

It's expressive. It's targeted. It's intentional. Direct evidence.

Analogy: Malicious backdoors are vulnerabilities on steroids.

Bitpay Wallet at the time was called Copay Bitcoin Wallet. It had an interesting backdoor.

If more than 100 BTC, steal it. Otherwise, don't bother.

sources: ^[1]

• Puppet: xz Backdoor
• Akamai: Critical Linux Backdoor in xz-utils Discovered
• Technical Timeline and Analysis of the xz Backdoor
• Analysis on X (Twitter)
• SOC Prime: CVE-2024-3094 Multi-layer Supply Chain Attack

Summary:

• Source code repository (git) was not backdoored. Only the source tarball was backdoored.
• The source tarball was not build based on the source code (git) repository.
• The source tarball contained additional, malicious content.
• This is impossible to happen by mistake.

In 5.6.1, the threat actor introduced a code snippet aimed at enhancing the modularity of the backdoor. This modification enables the potential injection of different variants via test files in subsequent stages.XZ Utils Backdoor - Threat Actor Planned to Inject Further Vulnerabilities

In the cases of Copay and the xz malicious backdoor, we can be abundantly sure by looking at the code that it is inexcusable. This can be seen directly on the source code level. For both Copay and xz, there is no question and no doubt at all. Nobody is speculating about it, and no excuses have been made. The consensus is clear that these were intentional malicious backdoors. There's no question about it.

• A backdoor in UnrealIRCd

Prerequisite knowledge:

• Blue Pill is a proof-of-concept malicious backdoor.
• CosmicStrand is a sophisticated UEFI firmware rootkit.

Illustrative hypothetical malicious backdoors:

• A hypothetical release of a Xen binary that included Blue Pill would be a very clear case of a malicious backdoor.
• A hypothetical computer motherboard coming with CosmicStrand installed by default would be a very clear case of a malicious backdoor.
• Purpose of these hypothetical examples:

Miscellaneous malicious backdoors:

• https://www.pcmag.com/news/thousands-of-android-devices-come-with-a-hidden-backdoor
• Can Google force-install compatible apps? This is not about whether Google does this. This is about whether Google can or could do this, i.e., whether it has the ability to do so.

Hypothetical malicious backdoors in cryptocurrency wallets:

To further explain the magnitude of how bad a malicious backdoor can be... https://safe.global is an Ethereum wallet used by institutions. Or hardware wallets such as https://enterprise.ledger.com are also used by institutions, which means not an individual but instead (big) companies such as cryptocurrency exchanges.

They're using such hardware/software to secure literally billions of dollars. In this case...

• Vulnerability: While these are interesting and may even cause losses for some people, in the big picture, not much is likely to happen. Probably nobody is going to lose money, and if so, only a few people. With a vulnerability, even if purposeful, the artistic freedom of the programmer is limited. The malware will have far fewer features and scope. Example: https://www.youtube.com/watch?v=Y1OBIGslgGM
• Malicious backdoor: Now, that's a much bigger problem. All users might lose all of their Ethereum at the same time.

Now anything is possible. All users of these cryptocurrency wallets could lose all of their Ethereum at the same time. The artistic freedom of the programmer is without restraints. They can insert a timer, a date when the theft shall happen. They can add their own Ethereum wallet addresses. Based on the timer, they can steal from all users at once. The malicious backdoor can, after completing its operation, even delete any evidence of itself by reverting back to a legitimate version. There is no further action required on their side once the malicious backdoor has been planted.

Actual past vulnerability in the electrum bitcoin wallet:

• electrum vulnerability: A popup which could be initiated by malicious servers instructed users to apply malicious instructions, i.e., phishing. If users don't react, nothing happens.
• electrum malicious backdoor: all users lose all their bitcoin at the same time.

Let's start with simple, absolute language for laymen. We'll be more nuanced later.

Android makes it impossible to find backdoors.

This sounds extreme, but it reflects how things appear in practical terms. If a malicious backdoor is installed deep in the internal storage of an Android device, and the device is not rooted, then:

• You cannot see it.
• You cannot copy it.
• You cannot analyze it.
• You cannot remove it.
• You cannot prove it exists.

This is what makes the concept of a "perfect malicious backdoor" so dangerous.

Now, let's clarify the technical nuances.

More accurately, Android makes it very difficult, not literally impossible, to detect well-hidden malicious backdoors. Here's why:

• On modern Android devices, the internal storage is a small chip that is permanently attached (soldered) to the device’s main circuit board. You can’t just unplug it or hook it up to another computer like a USB drive.
• Android doesn't give you full access to that storage unless the device is "rooted", which means gaining full control over the system, like an administrator. (Administrative Rights Refusal (non-root enforcement))
• Most users can't root their devices. In many cases, manufacturers make it permanently impossible to do so.
• Without root, large parts of the system are completely hidden, even if you use developer tools like adb (Android Debug Bridge).
• Even if you do manage to root the device, the rooting process itself changes the system. That change might accidentally erase clues. A clever backdoor could notice you've rooted the phone, then delete itself and hide all evidence.

As explained in Basics of Malware Analysis and Backdoor Hunting, a proper investigation must start from a clean and trusted computer, not the infected device. You should never power on the compromised phone, because that might trigger the backdoor to erase itself or hide its tracks. Instead, experts need direct access to the device’s raw data, ideally by physically removing the storage and using special tools to read it without running anything from it.

Unfortunately, Android’s hardware design often blocks this kind of investigation. When you can’t remove the storage chip or read it safely from the outside, the safest method, looking at the raw data without starting the system becomes impossible. That means any hidden malware, and all the evidence of it, stays completely out of reach.

In theory, someone might invent a way to read Android's storage fully and safely without turning the device on or running anything from it. That would make proper malware analysis possible. But realistically, this is extremely unlikely.

And if such a malicious backdoor were ever discovered and recovered, it wouldn’t be truly "perfect" because real perfection means it could never be found under any circumstances. In the real world, nothing is perfect. But Android’s design comes alarmingly close when it comes to enabling undetectable malicious implants on non-rooted, encrypted devices.

For a slightly more technical write-up, see: Android Insecurity

related forum discussion: https://forums.kicksecure.com/t/no-rescue-mode/1171

A hidden mechanism intentionally built into hardware that allows unauthorized access or control.

A malicious modification of a hardware design that causes undesired behavior when triggered.

A Trojan embedded in firmware (software on hardware) that manipulates hardware behavior or leaks data.

Firmware infections should not be confused with hardware/circuit trojans, which are malicious modifications made to machine components during the manufacturing process. Despite their sophistication, circuit trojans are not immune to detection. ^[3]

Hard disk hacking by SpritesMods.com

• A 7-page blog post.
• Custom hack of HDD hardware
• A proof of concept demonstrating how to hack a hard drive (HDD) controller.
• It involves modifying how data is read and written. For example, injecting a username and password into /etc/passwd.
• This creates a persistent backdoor that survives OS reinstallation.
• It is similar to a BIOS backdoor, but implemented in HDD firmware.
• Only root access is required to install this hardware backdoor.
• What is the vulnerability? With root access, it is possible to modify HDD firmware. The hardware vendor is to blame for this.
• It is even possible to run Linux on the HDD controller firmware.

Virtualizers like Qubes, VirtualBox and KVM cannot absolutely prevent the compromise of hardware. Running all activities inside VMs is a very reasonable approach. However, this only raises the bar and makes it more difficult and/or expensive to compromise the whole system. It is by no means a perfect solution.

No distribution of Linux, BSD, Xen or any other variant can solve the issue of needing to dispose of potentially infected hardware. Hardware-specific issues can really only be fixed at the hardware level. At best, software interventions can only provide workarounds.

The problem is no hardware exists that consists of entirely Libre firmware. It is very difficult to analyze the firmware of hardware, wipe potentially compromised versions, or overwrite firmware with a most-likely-clean version.

Even if a user wholly depended on Libre firmware, this would only make verification easier but it could not stop infection. Disassembling hardware components -- BIOS, disk controllers, CPU, Intel AMT and so on -- and flashing them with clean versions offline is extremely difficult. It is simply cheaper and more convenient to buy new hardware.

The bundling of undesirable anti-features like DRM in closed firmware is further evidence that Libre firmware is needed, in addition to Libre hardware designs.

A hypothetical stateless computer ^{[4] [5]} would solve the problem of malware persistence, but it still could not protect against the damage (data-exfiltration) caused by successful exploitation.

See also: Open Source Hardware

A Trojan embedded at the circuit level, altering logic or functionality of the physical chip.

Non-Freedom Software (precompiled binaries) should be avoided because it is easier to hide malicious backdoors. Freedom Software (source-available) should be preferred because it is more difficult to hide backdoors.

Finding Backdoors in Freedom Software vs Non-Freedom Software

	Non-Freedom Software (precompiled binaries)	Freedom Software (source-available)
Original source code is reviewable	No	Yes
Compiled binary file can be decompiled into disassembly	Yes	Yes
Regular pre-compiled binaries	Depends [6]	Yes
Obfuscation (anti-disassembly, anti-debugging, anti-VM) [7] is usually not used	Depends [8]	Yes [9]
Price for security audit searching for backdoors	Very high [10]	Lower
Difference between precompiled version and self-compiled version	Unavailable [11]	Small or none [12]
Reverse-engineering is not required	No	Yes
Assembler language skills required	Much more	Less
Always legal to decompile / reverse-engineer	No [13] [14]	Yes [15]
Possibility of catching backdoors via observing incoming/outgoing Internet connections	Very difficult [16]	Very difficult [16]
Convenience of spotting backdoors	Lowest convenience [17]	Very high convenience [18]
Difficulty of spotting intentional, malicious backdoors [19] [20]	Much higher difficulty [21]	Much lower difficulty [22]
Difficulty of spotting a "bugdoor" [23]	Much higher difficulty [24]	Lower difficulty
Third parties can legally release a software fork, a patched version without the backdoor	No [25]	Yes [26]
Third parties can potentially make (possibly illegal) modifications like disabling serial key checks [27]	Yes	Yes
Software is always modifiable	No [28]	Yes
Third parties can use static code analysis tools	No	Yes
Third parties can judge source code quality	No	Yes
Third parties can find logic bugs in the source code	No	Yes
Third parties can find logic bugs in the disassembly	Yes	Yes
Benefits from population-scale scrutiny	No	Yes
Third parties can benefit from debug symbols during analysis	Depends [29]	Yes
Display source code intermixed with disassembly	No	Yes [30]
Effort to audit subsequent releases	Almost same [31]	Usually lower [32]
Forum discussion: Finding Backdoors in Freedom Software vs Non-Freedom Software

Spotting backdoors is already very difficult in Freedom Software where the full source code is available to the general public. Spotting backdoors in non-freedom software composed of obfuscated binaries is exponentially more difficult. ^{[33] [34] [35] [36] [37] [38] [39] [40] [41]}

To further improve the situation in the future, the Freedom Software community is working on the Reproducible Builds project. Quote:

Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code.

Whilst anyone may inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond.

This incentivises attacks on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence.

This is particularly a concern for developers collaborating on privacy or security software: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime.

Whilst individual developers are a natural target, it additionally encourages attacks on build infrastructure as an successful attack would provide access to a large number of downstream computer systems. By modifying the generated binaries here instead of modifying the upstream source code, illicit changes are essentially invisible to its original authors and users alike.

The motivation behind the Reproducible Builds project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.

This ability to notice if a developer has been compromised then deters such threats or attacks occurring in the first place as any compromise would be quickly detected. This offers comfort to front-liners that they not only can be threatened, but they would not be coerced into exploiting or exposing their colleagues or end-users.

Several free software projects already, or will soon, provide reproducible builds.

↑ For example, consider how difficult it was to reverse engineer Skype: Skype Reverse Engineering : The (long) journey ;)..

Malware and Firmware Trojans Documentation Open-source Hardware Previous page: Malware and Firmware Trojans Index page: Documentation Next page: Open-source Hardware

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!