Is the FBI Using Zero-Days in Criminal Investigations?

We have known for a while now that the FBI uses hacking techniques to conduct remote computer searches in criminal investigations — particularly those that involve the dark web. But the addition of auto-update functionality to the Tor Browser, the world’s most popular anonymity tool, may push authorities into a tactical shift toward the controversial use of “zero-day” exploits that target previously unpublished software flaws. Doing so would open the door to a host of legal and policy questions related to software vulnerabilities, their exploitation by law enforcement, and when (and how) such weaknesses should be disclosed.

A “zero-day” vulnerability is a hidden software bug for which no fix or patch exists. The name reflects the number of days such a bug has been known to the public (and ultimately, the software developer). Owning a zero-day exploit, in principle, is like owning a backdoor to every device in the world running the affected software. Zero-days are valuable because malicious code exploiting them can propagate from one computer to the next with relative impunity. Once a zero-day vulnerability is made public, victims will have had “zero days” to protect themselves from the breach, and can’t undo the damage done.

Currently, most malware programs target known vulnerabilities in outdated software versions. It is both easier and cheaper for an intruder to exploit a known weakness in a system than to find a previously undiscovered way in. This works out for intruders because users are notoriously lazy about installing software updates (even when prompted to do so), often leaving themselves vulnerable to attack. Automatically deploying patches ensures that users are running up-to-date software, and significantly reduces the risk of an intruder breach.

While auto-update functionality is good for security, it marks a set back for law enforcement, who increasingly rely on hacking techniques to conduct remote searches of computers and other networked devices. As I’ve explained before, the use of hacking techniques by law enforcement is particularly useful in the pursuit of suspects on the dark web. More recently it has been suggested that the government might turn to hacking techniques as a possible means to circumvent strong encryption being implemented by third-party Internet service providers.

In previous cases, the FBI was able to deploy exploits that attacked security bugs for which a patch was available, but not yet installed on target machines due to user negligence. This was the case in a 2012 sting codenamed “Operation Torpedo,” which targeted users of illicit websites on the dark web. Law enforcement agents were able to use Metasploit (a popular, and free, penetration testing application) to exploit known software bugs in the Tor Browser for which a patch was made available in several previous software releases.

As the Tor Browser’s auto-update feature approaches full user adoption over the next several months, FBI hacking techniques that target outdated versions of the software will be rendered obsolete. This raises questions as to how the FBI will fill the capacity gap that results. As a technical matter, zero-days exploits provide an effective workaround; because they target bugs that are (by definition) unknown to the software developer, software patches are not an effective antidote (auto-update or not). But a number of new policy and legal questions must be addressed in assessing whether the FBI should use zero-day exploits to acquire evidence of criminal activity.

As an initial matter, it is unclear how the FBI would maintain a readily available cache of zero-days or how much it would cost to do so. The FBI (probably) doesn’t have the technological capabilities required to harvest zero-days, or to develop malware programs that exploit newly discovered zero-days at a pace rapid enough to be operationalized by law enforcement before a patch is made available. This means that if law enforcement starts using zero-days in its investigations, the US government will likely need to procure them from outside vendors who operate in a “grey market,” at best. (At least one cybersecurity startup seems to have expanded it’s zero-day acquisition program accordingly.)

While details of the zero-day market are hard to come by, a recent hack of the Italian spyware maker Hacking Team and subsequent dump of its internal emails, provide a uniquely public case study, highlighting the market’s volatility and exclusivity. The cost of a zero-day exploit varies greatly, turning on a variety of speculative factors such as how many targets the exploit can provide access to, the likelihood of when the vulnerability is going to be discovered (and patched), and the financial capabilities of the buyer. According to one article, a fully functioning remote zero-day exploit for an iPhone sells for around $1 million. And this is despite the fact that once a zero-day has been discovered (e.g., by a researcher, an attack victim, or the software developer), its value rapidly evaporates on the assumption that a patch is just around the corner.

The unique security implications of zero-days raise many questions as to whether (and how) to regulate vulnerability disclosure. Recent news has highlighted the uncomfortable truth that no software is immune to hidden design flaws — even when designed by major security firms. The more prevalent the buggy software, the greater an exploit’s potential to infect systems and devices.

A zero-day exploit in the wrong hands could be very bad. They can render a variety of potential threat-actors fully capable of exploiting the insecurity of the technological infrastructure of our world. Most targets are defenseless against zero-day attacks, which are undetectable by antivirus applications that rely on digital “signatures” of known threats. Once a system is breached, a broad range of capabilities can typically be executed, in large part turning on the sophistication and intent of the intruder.

It’s better for overall cybersecurity when researchers, businesses, and government agencies disclose zero-day vulnerabilities, even if doing so prohibits law enforcement from exploiting them for investigative purposes. By contrast, stockpiling zero-days runs the risk that criminals (or worse, adversary states) are actively exploiting the flaw in the wild, potentially affecting our privacy, property, and security in the process.

Currently, the US government determines when to disclose a known zero-day through what is called an “equities process.” As part of this process, agencies assess “when a zero-day software vulnerability it learns about should be disclosed to a vendor to be fixed or kept secret and exploited for intelligence or law enforcement purposes.” According to the Office of the Director of National Intelligence, the process is biased toward responsibly disclosing zero-day vulnerabilities “unless there is a clear national security or law enforcement need” (emphasis added). But others, including former cybersecurity advisor Richard Clarke, seem to think the process is more form than substance:

“If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users,” Clarke said, adding “[t]here is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn’t.”

And while the NSA recently reported that it discloses 91 percent of discovered zero-days, the details — for example, whether vulnerabilities are weaponized and exploited in the wild before disclosure, for what purpose, and for how long — have yet to be revealed.

Regardless (and setting aside the potential intelligence value of storing vulnerabilities), it remains particularly unclear what non-national security criminal law enforcement circumstances would be sufficient to trigger the use of zero-day exploits. The Justice Department has previously clarified that hacking techniques are deployed in the investigation of general crimes. Whether this will involve the use of zero-day exploits has not been revealed, though it seems likely. Simple (but highly effective) security enhancing features like “auto-update” functionality are increasingly being adopted by a variety of software makers, significantly mitigating the usefulness of less sophisticated hacking techniques that law enforcement has relied upon in the past.

As things stand, I would be hesitant to allow the use of zero-day exploits by law enforcement for non-national security purposes without prior (and public) comprehensive deliberation between lawyers, technologists, and policymakers that looks beyond immediate operational needs and considers its potentially far-reaching consequences. This post just scratches the surface. 

About the Author(s)

Ahmed Ghappour

Visiting Professor at UC Hastings College of the Law and Director of the Liberty, Security and Technology Clinic Follow him on Twitter (@ghappour).