Are Hidden Backdoors in Software Legal? Real Cases and Expert Insights
This article shares three Zhihu answers that explore a hidden backdoor in an Android ROM, the ambiguous legal status of software backdoors in China, and historic compiler‑level backdoors like Ken Thompson's, highlighting the technical and legal complexities of hidden vulnerabilities.
Yesterday I saw an interesting Zhihu question and decided to share three notable answers.
Backdoor in an Android ROM
Answerer: 特立独行的猪 Link: https://www.zhihu.com/question/531724027/answer/2487270093 In an early outsourcing project for a Taiwanese company, a custom Android ROM was delivered for 160,000 RMB with a one‑year maintenance fee of 20,000 RMB. Payments were split: 40,000 RMB deposit, 80,000 RMB on ROM delivery, and 40,000 RMB final payment after source code hand‑over. Before delivering the production ROM, a hidden timestamp check was embedded in the driver, causing the device to fail to boot after six months. The client never paid the final 40,000 RMB, claiming the product worked fine and refusing the source code and maintenance fee. After two months the hidden issue caused downstream customer complaints, forcing the client to pay the remaining amount. The answerer argues this self‑protection is not illegal, though it depends on the specific case.
Legal view on backdoors
Answerer: tombkeeper Link: https://www.zhihu.com/question/531724027/answer/2539891264 Chinese law does not specifically punish the existence of a backdoor because it is hard to define objectively. Whether mechanisms such as automatic updates, hot‑patches, or remote maintenance count as backdoors is ambiguous. Liability is determined by the actual misuse of the backdoor: merely leaving one unused is not punishable, but using it for wrongdoing can lead to conviction.
Advanced backdoors and historical examples
Answerer: 沧海 Link: https://www.zhihu.com/question/531724027/answer/2487130220 Ken Thompson once inserted a backdoor into a C compiler at Bell Labs, allowing him to access any Unix account regardless of password changes. The backdoor persisted because the compiler was required to build the system. Similar techniques were used in the Xcode Ghost incident. Backdoors can exist at various levels: code, toolchain, compiler, and even hardware, making them extremely difficult to detect.
The post also mentions a recent case where a hacker group poisoned the IDA reverse‑engineering tool, illustrating how sophisticated backdoors can target security professionals.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Java Backend Technology
Focus on Java-related technologies: SSM, Spring ecosystem, microservices, MySQL, MyCat, clustering, distributed systems, middleware, Linux, networking, multithreading. Occasionally cover DevOps tools like Jenkins, Nexus, Docker, and ELK. Also share technical insights from time to time, committed to Java full-stack development!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.