Engineers' back doors
April 29, 2014 11:19 AM Subscribe
Have there been any documented cases where an engineer (or whatever) on a physical device or product used in the general marketplace has included a backdoor that allows them to get special "benefits"? Examples inside.
Some made up examples: an engineer on an ATM includes a secret code in the OS that allows the engineer to withdraw $100 without a card. Or a Otis Elevator engineer that includes a code allowing her to have express service if she hits the buttons in a certain order. The engineer who can hit a code in a certain order and get a free Coke. You get the idea--a backdoor that allows the engineer him or herself to get a tangible and direct benefit. I'm presuming in my hypotheticals that the engineer's employer doesn't know or condone the back door.
I'm not looking for purely software backdoors (i.e., a code allowing a programmer to log in to a server with a secret master password), or for backdoors that aren't direct tangible benefits to the engineer (like the brouhaha over Diebold voting machines overriding votes for one party or another--whether or not that was malicious, it's not the kind of direct benefit for the responsible parties). So phreaking is not what I'm looking for, either.
Has this kind of real-world back door ever been documented as a real thing? Free Cokes, express elevators, funny money, free RedBox DVDs etc.?
Some made up examples: an engineer on an ATM includes a secret code in the OS that allows the engineer to withdraw $100 without a card. Or a Otis Elevator engineer that includes a code allowing her to have express service if she hits the buttons in a certain order. The engineer who can hit a code in a certain order and get a free Coke. You get the idea--a backdoor that allows the engineer him or herself to get a tangible and direct benefit. I'm presuming in my hypotheticals that the engineer's employer doesn't know or condone the back door.
I'm not looking for purely software backdoors (i.e., a code allowing a programmer to log in to a server with a secret master password), or for backdoors that aren't direct tangible benefits to the engineer (like the brouhaha over Diebold voting machines overriding votes for one party or another--whether or not that was malicious, it's not the kind of direct benefit for the responsible parties). So phreaking is not what I'm looking for, either.
Has this kind of real-world back door ever been documented as a real thing? Free Cokes, express elevators, funny money, free RedBox DVDs etc.?
A lot of pinball machines have flipper codes built into their software. Pressing the buttons in a certain order activate the codes.
They were put there by the game programmers to either display secret messages to friends & family or enable hidden game features. Some of these features could allow you to score free games pretty easily. Could there be codes to switch the machine into free play mode or do other sinister things? Perhaps.
posted by JoeZydeco at 12:28 PM on April 29, 2014
They were put there by the game programmers to either display secret messages to friends & family or enable hidden game features. Some of these features could allow you to score free games pretty easily. Could there be codes to switch the machine into free play mode or do other sinister things? Perhaps.
posted by JoeZydeco at 12:28 PM on April 29, 2014
Salami slicing is a term that covers a variety of fraud but most famously, it's applied to cases where a programmer diverts an undetectable amount of money to their own account - for example, skimming fractions of a penny off a large number of financial transactions.
Here are some fascinating examples that include to physical products, such as:
In January 1993, four executives of a rental-car franchise in Florida were charged with defrauding at least 47,000 customers using a salami technique. The federal grand jury in Fort Lauderdale claimed that the defendants modified a computer billing program to add five extra gallons to the actual gas tank capacity of their vehicles. From 1988 through 1991, every customer who returned a car without topping it off ended up paying inflated rates for an inflated total of gasoline.
posted by rada at 12:31 PM on April 29, 2014 [1 favorite]
Here are some fascinating examples that include to physical products, such as:
In January 1993, four executives of a rental-car franchise in Florida were charged with defrauding at least 47,000 customers using a salami technique. The federal grand jury in Fort Lauderdale claimed that the defendants modified a computer billing program to add five extra gallons to the actual gas tank capacity of their vehicles. From 1988 through 1991, every customer who returned a car without topping it off ended up paying inflated rates for an inflated total of gasoline.
posted by rada at 12:31 PM on April 29, 2014 [1 favorite]
Harris took advantage of his expertise, reputation and access to source code in order to illegally modify certain slot machines to pay out large sums of money when a specific sequence and number of coins were inserted. From 1993 to 1995, Harris and an accomplice stole thousands of dollars from Las Vegas casinos, accomplishing one of the most successful and undetected scams in casino history.
posted by zabuni at 1:22 PM on April 29, 2014 [4 favorites]
posted by zabuni at 1:22 PM on April 29, 2014 [4 favorites]
I can't remember the name of the company, but back in the late 90s at work we had an ftp appliance in our server room that had a warning about how if you opened the case it would void the warranty. We opened it one day, and it had a rubber chicken attached to the lid that would pop up at you. I guess they did it so they could bust you if you asked about the chicken.
posted by PSB at 1:58 PM on April 29, 2014 [11 favorites]
posted by PSB at 1:58 PM on April 29, 2014 [11 favorites]
I know of a case where route salesmen discovered a bug that let them enter orders in a way that gave them bigger commissions.
posted by SemiSalt at 2:30 PM on April 29, 2014
posted by SemiSalt at 2:30 PM on April 29, 2014
Ken Thompson's Reflections on Trusting Trust describes the trojan he hid in the Unix C compiler and login command so he'd always have a login on any Unix computer.
posted by scruss at 5:06 PM on April 29, 2014 [2 favorites]
posted by scruss at 5:06 PM on April 29, 2014 [2 favorites]
There's an unnamed British bank which, according to the linked article, in the 1990s, only issued 3 different PIN numbers, so the people in the know could jackpot any random cloned cash card.
posted by ambrosen at 5:50 PM on April 29, 2014 [1 favorite]
posted by ambrosen at 5:50 PM on April 29, 2014 [1 favorite]
This thread is closed to new comments.
Not free stuff so much as either a) debug/testing b) allowing support people to reconfigure stuff without needing passwords. But no passwords is better than free stuff to test engineers.
posted by GuyZero at 11:22 AM on April 29, 2014 [2 favorites]