When federal law-enforcement officials can’t track criminal suspects through traditional wiretaps, they turn to tools most commonly associated with hackers: software exploits.
An article in The Wall Street Journal reveals some of the techniques the Federal Bureau of Investigation uses for such surveillance, including delivering spyware to suspects’ computers through emails and Web links. Former U.S. officials say that use of such tools under court orders has grown as more suspects “go dark” by using encrypted and other sophisticated new digital communications technology.
To get such spyware running on a suspect’s machine, investigators often must use tools that exploit holes in the software already on the computer or phone. Through these holes, known as vulnerabilities, investigators are able to get their own programs to run on the machine. To be effective, the spyware must then be stable, run undetected and reliably send information back to law enforcement.
Former U.S. officials said the FBI employs people who are able to make such tools, and it also buys the technology from private companies. In recent years, several firms have begun selling the technology to law enforcement.
A spokeswoman for the FBI declined to comment.
In some cases, federal law enforcement has had contracts and subcontracts with U.S. companies to develop specific computer exploits, said one person familiar with the process. “They hand out a target list and you try to find something,” that person said. “It starts with stuff that lots of people have, like Safari on Mac, then works down into a bunch of weird and very specific software packages.”
As of several years ago, a reliable Safari Web browser exploit could fetch at least $50,000 and sometimes as much as $100,000, the person said. Exploits for Internet Explorer might bring in more, while those for less popular software might cost about $10,000, that person said.
“It’s not a trivial amount of labor,” the person said. “You’re looking at 100 to 200 hours of work to find” an exploit in popular software.
The person said the process when working with law-enforcement agencies is slightly different from the one used by military agencies, mainly because law-enforcement requests are sometimes designed for specific cases. “Some of the software requests were absurd unless you had a specific target in mind,” the person said.
In posts on resume sites, people from other private companies discuss similar work, including working with FBI field agents on “penetration software” and making surveillance tools that were “case specific.”
The Journal article also describes how a firm called Gamma International offers “0 day exploits”—meaning that the software maker doesn’t yet know about the security hole—for software including Microsoft Corp.’s Internet Explorer. Gamma has marketed its products within the U.S., but didn’t respond to requests for comment.
Christopher Soghoian, principal technologist at the American Civil Liberties Union, said he is concerned about the government “sitting on” computer exploits rather than helping companies fix the problems and protect people. The same hacking tools that law enforcement uses in investigations could also be employed by criminal hackers, he said.
Other computer-security researchers say the use of such hacking tools is preferable to rules that would require companies to put so-called back doors into software to easily enable wiretaps. Law-enforcement agencies have been seeking changes to the law to mandate wiretap capabilities in more Internet technologies.
Such back doors “become one-stop-shopping for criminals and foreign intelligence services, not just the FBI,” said Matt Blaze, a computer science professor at the University of Pennsylvania. But if law enforcement has to hack into a suspect’s machine to get information, it “doesn’t put the rest of the network at risk,” he said.