Some people, especially the ones trying to sell you security software, suggest that the only way to stay secure online is to stay smart. In other words, you have to take care of your online hygiene if you want to make sure that you’re not the target of another cyber criminal or hacker.
Well, apparently, none of that is true if the FBI is on your tail.
Recent reports in the media have revealed that the FBI actually made use of a Non Public Vulnerability in order to hack into machines of suspects who were using an online anonymity service by the name of Tor.
Just a couple of weeks ago, it was also revealed that the FBI had hacked into a huge number, in the thousands by most estimates, of computers. Most of the hacked computers belonged to users who had visited a child pornography website by the name of PlayPen.
Readers should also know that the original hack of thousands of machines happened back in 2015. Now, a judge who is involved with a related case has revealed that the FBI utilized a non-publicly-known vulnerability in the Tor network in order to hack into suspects’ computer machines.
Why does any of this matter to common internet users around the world?
Well, this news along with the previous ones related to the FBI going to extremes in order to catch suspected “criminals” who visited specific websites, clearly highlights FBI’s inclination towards exploiting security issues in various softwares and devices that are connected to the internet.
Of course, that’s not all what the FBI does on a daily basis, but it is a trend that many reporters have started to observe after various media reports had broken news about FBI’s, sometimes, somewhat extra-judicial operations, especially in regions outside of the United States of America.
The FBI has become rather notorious for getting close to their criminal suspects who use new online technologies such as Tor which allow them to anonymize their existence in the online world.
Now, Tor may be the most secure and probably the most famous online anonymizing service out there but readers should keep in mind that it isn’t the only service that allows users (or suspected criminals in FBI’s case) to hide their identity online in order to carry out their business.
There are lots of other consumers products in the market that offers users (read : customers) advanced encryption features that are built right into the products which can be easily bought and then installed on any device. All of this stuff happens online so it is rather convenient for anyone with a laptop and an internet connection to just go online and buy one of these consumer products to visit any illegal site without getting caught. That is, without getting caught by organizations other than the FBI.
However, in this particular case, it is unknown if the vulnerability used by the FBI to hack into thousands of computers that were using Tor services, was known to the creators of the software.
In the cyber security world, this type of security issue is commonly known as a zero-day vulnerability. In other words, a security issue with a device or a software program that the manufacturer of the program or device is unaware of. This also holds true for products that are developed by software developers as well as hardware manufacturers.
And that brings up another controversial issue as far as FBI’s activities, to catch suspected criminals on the internet, are concerned. Mainly, that isn’t it the responsibility of the agency to disclose the vulnerability information to all the affected parties?
Well, no one knows for sure. What is certain is that the judge’s comments on the case, related to FBI and its mission to catch criminals all over the world by leveraging security issues within softwares and hardware devices, are the most detailed ones yet regarding the type of vulnerability the FBI exploited in order to hack more than 8500 computers that were located not just in the United States of America but in well over 100 countries around the world.
As mentioned earlier, the FBI started its “worldwide project” to catch suspected criminal back in the February 2015 when the agency managed to seize a dark web (the bad and nasty part of the deep web) child pornography website known as Playpen.
Back then, it was also reported that the FBI used some advanced methods to get a hold of the illegal pornographic website such as NIT, short for network investigate technique. At least, that is the name FBI gave it.
Essentially, the network investigative technique is a piece of malware software that breaks into any computer that the FBI suspects belongs to a criminal or a potential criminal. The agency is then able to learn the real IP address of the computer that is suspected to be of a criminal.
Timothy L. Brooks, who is a United States district judge, filed a document with the court earlier this month in which he wrote that, with the user’s true IP address came the FBI’s ability to determine the actual identity and location of the suspected Playpen user.
Furthermore, Brooks also added that the FBI’s network investigative technique was able to do all that by first exploiting a defective window, in other words, a non-publicly known vulnerability within the network.
Using the same analogy, what the judge tried to convey to the court was that the vulnerability, that the FBI took advantage of was used to bypass the suspected criminal’s computer (or more specifically the particular browser that was used by the suspect on his computer), was basically a defect in the lock of a window.
The FBI recognized the fault in the window’s lock and then used a specific exploit to break into the suspect’s computer. Using the windows analogy again, the agency basically used a lock-picking tool in order to open the window’s lock and then gain entry to the house i.e the suspect’s computer machine.
Denelle Dixon-Thayer, who is the chief legal and business officer of Mozilla, wrote in an email exchange with Motherboard that the judge’s description definitely suggested that the FBI’s exploit used a zero-day vulnerability.
As indicated earlier as well, the online service that the FBI broke into in order to gain suspected criminal’s computer was the Tor Browser. It has also been suggested that most of the users who visited Playpen used the Tor Browser in order to hide their online information from law enforcement agencies among other organizations.
The Tor Browser, is actually built upon the technology that is still used in Mozilla Firefox. Both browsers share many features and use much of the same code at the backend.
Back in the month of May, Mozilla requested the FBI to actually unearth the zero-day vulnerability that allowed the agency to launch its hacking campaign against users who visited Playpen (the dark web child pornography website).
The reason behind the Mozilla request was that so the non-profit organization (Mozilla) could get its developers to work if not fix the zero-day security issue assuming that the flaw applied to Firefox web browser as well. Needless to say, Firefox is used by millions of users around the world and any security flaw within the web browser is likely to affect millions of users if not hundreds of millions of online users.
Dixon-Thayer published a blog post recently (actually at the same time when Mozilla asked FBI to release information regarding the Tor Browser hack in May) in which she wrote that Governments along with technology companies both had a role to play in ensuring people’s security online.
Moreover, she also wrote that disclosing vulnerabilities to technology companies first, allowed those specific technology companies to do their job which was to prevent users from being harmed.
The post further mentioned that it is vital that agencies such as the FBI released information regarding potential zero-day security issues with any software (if they find any) so that technology companies could work towards their goal of making the web a more secure place for everyone.
And perhaps that is one of the reasons why the FBI’s use of the zero-day vulnerability hack has garnered so much media attention. For clarity’s sake, the FBI using the hack to catch suspected criminals would actually, also, mean that the agency used a security flaw in the browser, in its investigative activities while the regular users who used Firefox or the Firefox-based Tor Browser were left vulnerable to potential attacks from cyber criminals along with other hackers.
It is a well-known fact that the FBI has taken and does take advantage of security issues in devices and program that are considered to be zero-day.
The former head of one of FBI’s hacking units , Amy Hess, talked to reporters at The Washington Post in an interview that was held in December 2015 and expressed the same opinion about the FBI and its activities.
This is an appropriate time to mentioned that the United States district judge’s comment does not help when it comes to making certain whether or not the FBI used or didn’t use zero-day vulnerability hacks to gain access to thousands of computers worldwide in one of its operations.
But moving away from Operational Technology Division head’s (the FBI hacking unit) comments, Dan Guido who is the founder of the cyber-security firm Trail of Bits, also mentioned something similar in an interview given to Motherboard via email.
He said that zero-day was an inadequate term to describe the vast spectrum of potential states in which software security issues could exist.
To put it another way, any vulnerability of any device is nothing but a bug that was actually patched up by Mozilla before they released the software or the product to the public. It also means that the bug, which was fixed, could have also existed in a library that the developers used but the final fix to the update was not released in a version that was offered to the public.
Former NSA security researcher Dave Aitel (who is also the founder of cyber security company by the name of Immunity) told Motherboard in an interview conducted over email that the other option of understanding how zero-day vulnerability worked was that it was something which was fixed but not known to be security relevant or not known to apply to the Tor Browser.
When Motherboard contacted Tor Project (the company behind the Tor Browser) for a comment, their request was declined for the purposes of their report.
If it wasn’t clear enough already then the FBI and the Department of Justice both have turned down requests to give up the exploit code to various defense teams even when compelled to do so through an order by judges.
In fact, both the FBI and Department of Justice preferred to lose convictions when the other option was to reveal the details of their investigative techniques.
As mentioned earlier in the article, judge Brooks filed related documents to the court for a case that was related to Anthony Allen Jean. Jean’s lawyers, on the other hand, have argued with the judge that in order to defend their client properly they would require the related document of the exploit that was used by the FBI.
Expectedly, the judge has decided to back the FBI in this particular case.
Judge Brooks, in his statement, also wrote that mere knowledge of the particular vulnerability exploited here could potentially lead the expert to later build his own exploit, or assist others in doing so, thereby effectively circumventing a protective order.
Moreover, the documents with the court (in other words, the court filings) also reveal through one of the entries that more than 100,000 online users accessed the child pornography website Playpen over the course of the 13 days for which the FBI had complete control over it.
As was indicated earlier, the FBI only managed to obtain about 8500 IP addresses of the users who accessed the deep web child pornography website, even with the help of its malware exploit during that period.
This is what the media has reported based on court transcripts obtained by authority cyber security news outlets such as Motherboard.
Nevertheless, what is certain in this whole scenario is that the Playpen operation that was carried out by the FBI was just another entry to the growing list of the agency’s tendency to use vulnerability hacks to bypass protections that are afforded to users who access the internet through various software programs (web browsers and apps) and devices.
It is now widely known that earlier this year, the FBI had paid a team of hackers to unlock an iPhone 5C smartphone that belonged to Syed Farook who was considered to be responsible for the San Bernardino terrorist attacks.