Backdoors in Software: Real-World Cases, Legal Perspectives, and Security Implications

While browsing Zhihu, the author found a question that sparked a discussion about hidden backdoors in software.

In an early outsourcing project for a Taiwanese company, a custom Android ROM was delivered with a payment schedule of 160,000 CNY for development and 20,000 CNY for a one‑year maintenance contract. The payment was split into three phases: a 40,000 CNY deposit, 80,000 CNY upon delivery of the production ROM, and the final 40,000 CNY after source code hand‑over. Before delivering the production ROM, a timestamp check was hidden within the driver code, causing the device to become unbootable after six months. The client never paid the final installment, claiming the product worked fine, and avoided the maintenance fee. After two months of complaints from the client’s downstream customers, the remaining payment was finally collected. The author notes that leaving such a backdoor can be a form of self‑protection and is not necessarily illegal.

The author then reflects on personal experiences with clients disappearing after software delivery, emphasizing the difficulty of enforcing payment without such safeguards.

Regarding the legality of backdoors, a security expert explains that Chinese law does not specifically criminalize the existence of a backdoor because it is hard to define objectively. Features such as automatic updates, hot‑patch mechanisms, or remote maintenance can be considered backdoors depending on their use. Consequently, the law punishes the misuse of a backdoor rather than its mere presence; a backdoor that is never used is not illegal, but using it for malicious purposes can lead to prosecution.

Ken Thompson, while at Bell Labs, was able to compromise accounts on a Unix server by embedding a backdoor in the C compiler. Even after the system’s passwords were changed, the backdoor persisted because the compiler itself inserted a hidden password check into every compiled program. This technique resurfaced in the Xcode Ghost incident, demonstrating that backdoors placed at the compiler level are extremely difficult to detect and remove. The expert categorises backdoors by their depth: Low‑level: within source code. Mid‑level: within the toolchain. High‑level: within the compiler. Ultimate: embedded in hardware, virtually impossible to defend against.

The article also mentions a recent case where a hacker group poisoned the IDA reverse‑engineering tool, illustrating how even security‑focused software can be targeted.

Readers are invited to share any personal experiences of embedding backdoors in code.

At the end of the article, a QR code is provided for a free Python course that includes extensive learning materials such as e‑books, tutorials, project contracts, and source code.