ACLU Warns on Forced Malicious Software Updates

Installation of malicious software in legitimate products could compromise security, and damage trust in software updates altogether.

According to a report by the ACLU on “How Malicious Software Updates Endanger Everyone”, it warned that “government agents may see malicious software updates as a means for surveillance” and the US government may force users to install malware to bypass passcode lockouts, enable wiretapping, turn on cameras, or physically track someone. 

“The likelihood that government actors may attempt to force software makers to push out software updates that include malware designed to obtain data from targeted devices grows as more companies secure their users’ data with encryption,” it said.

“As companies close other technological loopholes, there will be increased pressure on law enforcement to find alternate vulnerabilities to exploit.”

The ACLU said that law enforcement routinely seeks the assistance of software makers to obtain data in the course of criminal investigations, but users have the right to decline assistance requests, or may compel software developers to “install malware on a user’s machine as a software update that appears to be entirely ordinary.”

The report also acknowledged that while fixing vulnerabilities requires that the public trust the software update channel, so that fixes to security weaknesses are deployed as soon as they’re made available, but people will not regularly update software if they fear the government or bad actors will use the new code to exploit their systems.

While the ACLU acknowledged that it was “uncertain whether governments have already sought to obtain such orders or will do so in the future”, it issued four guiding points on what developers should do in the event of such a request:

  • Understand the issue, and any legal obligations
  • Implement Technical Defenses, such as encryption and defending against targeted attacks
  • Plan Responses, and consult executives, software designers and engineers, and lawyers is a helpful and important step to take prior to receiving a technical assistance order
  • Lawyer Up and seek legal counsel if you receive a technical assistance order.

What’s Hot on Infosecurity Magazine?