The FBI has confirmed that it has a policy of using zero-day exploits to gain access to the computers of “persons of interest.”
The agency confirmed to The Washington Post that it not only makes use of software vulnerabilities to spy on potential terrorists and criminals, but it does this without informing the affected vendors—thus leaving their customers, potentially millions of them, at risk from criminal hacking.
“Whether or not the FBI should use zero days without reporting them is certainly a question that needs significant and serious discussion,” Adam Meyer, chief security strategist, SurfWatch Labs, told Infosecurity. “The patriot in me always wants our law enforcement and military to have the best tools available for them to keep us all safe. However the security practitioner in me says not disclosing a zero day vulnerability places all users of that technology at risk. Essentially, we are trading one liability for another and who makes the determination that the needs of a few outweigh the needs of many?”
It’s a question that the FBI itself is wrestling with, a top official said. "What is the greater good?" Amy Hess, the bureau's executive assistant director for science and technology, asked the Post. "To be able to identify a person who is threatening public safety?" Or to protect people from being hacked by patching software holes? “How do we balance that?” she said. “That is a constant challenge for us,” she added, noting that using exploits is not the FBI’s first choice when it comes to investigations.
The confirmation backs up information that has been leaked previously: That the agency has had a zero day policy in place since 2010, according to documents obtained by the American Civil Liberties Union and published earlier this year on Wired. And, working groups had been assembled at least two years earlier to begin mapping out that policy, as a document obtained by the Electronic Frontier Foundation privacy organization and also published on Wired. The efforts are part of the FBI’s Operational Technology Division and the Remote Operations Unit, according to the Post.
“I believe it is safe to assume that any US agency with a Defense or Homeland Security mission area are using exploits to achieve a presence against their targets,” Meyer said. “Unfortunately, I also think it is safe to assume that every developed country in the world is doing the exact same thing.”
From a technology perspective, there is no easy alternative to solve this issue. “Government agencies using this tactic must have oversight to ensure those vulnerabilities, once used to achieve their immediate objective, pass the technical details to the vendors so that a fix can be deployed to the user base,”Meyer said. “The reality is a zero day can be used against us just as much as for us.”
Photo © Marsan