A recent Washington Post profile about the FBI’s executive assistant director for science and technology reveals a lot about the bureau’s methods for dealing with modern gadgets, and one stark and possibly unsettling fact: The FBI uses the same security loopholes in software that unscrupulous hackers do.
The Post’s article gives an interesting insight into Amy Hess’s job. As a senior FBI figure in charge of technology, Hess’ role is a timely and important one. As we all use technology more, so do the “bad guys,” and the FBI finds itself having to try many of the same tricks seen in high-tech crime dramas on TV. Where, after a serious incident for example, the FBI’s technicians tear into phones, computers, and other technology belonging to suspects in order to identify them or discover information that may prevent future incidents.
It’s easy to see this kind of investigation is an important part of the Bureau’s work. But in the article, Hess also admitted for the first time that the FBI actively uses so-called “zero-day” exploits to remotely hack computers.
A zero-day exploit is a flaw in a piece of software that allows hackers who know about it to easily gain access to a computer system. It gets its name because once the flaw becomes public knowledge, the designer of the system has no time—zero days—to fix the issue before it becomes an active threat to anyone running the software. Before fixes or patches are released, clever hackers are free to use the loophole to steal passwords, credit card details, and so on. Zero-day exploits have recently plagued Adobe’s popular Flash software, and it’s also been alleged that a Russia-based malware group extensively uses zero-day flaws to hack targets as big as NATO.
Hess admitted that the FBI uses these exploits in exactly the same way that hackers do to gain access to suspects’ computers, under the powers of a warrant issued by a judge. But the Post notes that this process may be questionable because judges may not understand the full implications of the hacking they are effectively authorizing. And if the FBI knows about a zero-day flaw but isn’t alerting the software maker about the issue, it could be leaving everyone else who uses the software at risk. Hess is quoted as saying this is a sensitive issue for the FBI. “How do we balance that?” she said. “That is a constant challenge for us.”
Using zero-day loopholes has been compared to using Stingray snooping devices to track cellphones, a practice that various security forces carry out across the US. But Stingrays are so controversial that their use has been reigned in, and courts are beginning to limit how they are used by law enforcement.