Hacking

The FBI Has New Hacking Powers

Daniel Dimov
May 26, 2016 by
Daniel Dimov

Introduction

In April 2016, the U.S. Supreme Court approved the modified version of Rule 41 of the Federal Rules of Criminal Procedure. The amendments empower U.S. judges to issue search warrants which allow the U.S. law enforcement authorities to conduct remote searches on computers located in any jurisdiction.

According to Google and the American Civil Liberties Union (ACLU), the approved rule may allow the U.S. Federal Bureau of Investigation (FBI) to conduct mass hacks on computers. Senator Ron Wyden of Oregon believes that such hacks will target not only computers of criminal suspects but also computers of victims of cyber-crime.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The purpose of this article is to examine the consequences of the expanded hacking powers (Section 2) and discuss the new hacking powers in the context of FBI's past hacking history (Section 3). Finally, a conclusion is drawn (Section 4).

The consequences of the expanded hacking powers

Since the amended Rule 41 does not define the term "remote search", it may be interpreted as permitting all types of hacks of computers owned by U.S. and non-U.S. residents. Thus, the approved rule may be an inauguration of an era of "mass hacking".

Although the FBI has already demonstrated its mass hacking powers (see Section 3 of this article), it was seriously limited by Rule 41. By way of illustration, some of the evidence which the FBI collected from deploying malware on at least one thousand computers during "Operation Pacifier" was not accepted by U.S. courts. This is because the evidence was collected in violation of Rule 41. What else makes "Operation Pacifier" interesting from a privacy point of view is the fact that, during the operation, the FBI hacked computers in Denmark, Greece, and Chile.

It should be noted that, under the new version of Rule 41, the FBI may be authorized to hack not only computers of criminals but also computers of victims of information security attacks. For example, the FBI may be authorized to hack all 1.9 million computers which were controlled by ZeroAccess, one of the most recent botnets. The term "botnet" refers to some computers that have been set up to send data (e.g., spam and viruses) to other computers on the Internet. The legitimate users of computers comprising a botnet are usually unaware that their computers are used in this way. However, because the infected computers de facto attack other computers, the FBI may treat the infected computers the same way it treats the computers of cyber-attackers.

The supporters of the amended Rule 41 argue that the FBI will use the collected evidence for legitimate purposes only. Although this may be true, there is no guarantee that the FBI will not be hacked and, as a result, the collected evidence will end up in the hands of data brokers. The larger the data, the greater its monetary value. According to TrendMicro, 300 IP addresses at the Russian black market for personal data cost USD 6. Hence, the IP addresses of 1,9 million computers connected to ZeroAccess will cost USD 38,000, a sum which is sufficient to incentivize hackers to steal IP addresses from the FBI.

One can find numerous reports related to hacks of FBI data. For example, on 13th of February 2016, FoxNews stated that: "A 16-year-old boy living in England has been arrested in connection with the recent hack of FBI and DHS data, as well as the personal email accounts of CIA director John Brennan and Homeland Security chief Jeh Johnson."

FBI's past hacking history

The information in this section shows that the FBI has the knowledge and the experience necessary for conducting mass hacking of computers. Below, we will briefly discuss four tools employed for combating cyber crimes throughout FBI's hacking history, namely, the keystroke loggers Carnivore and the Magic Lantern (Section 3.1), Computer and Internet Protocol Address Verifier (Section 3.2), and Network Investigative Technique (Section 3.3). Furthermore, we will discuss a hacking technique which is commonly used by the FBI, namely, exploitation of security vulnerabilities (Section 3.4).

Keystroke loggers

Keystroke logging can be defined a technique for recording the keys struck on a keyboard. Usually, keystroke logging is done without the consent of the person whose keystrokes are monitored. Below, we discuss two tools used for keystroke logging, namely, Carnivore and the Magic Lantern.

Carnivore. Carnivore is the first publicly disclosed computer investigation software used by the FBI. It was designed in 1998 with the aim to allow the FBI to intercept criminal suspects. The software was based on packet-sniffing technology. It enabled FBI computers to connect to the IP address of a suspect and monitor all Internet traffic of the targeted user. Carnivore was used for investigating specific illicit activities, such as child pornography, terrorism, fraud, and espionage. To use Carnivore in a specific case, the FBI was obliged to (1) provide sufficient evidence that the targeted user might be engaged in a crime and (2) obtain a court order. The software was replaced in 2005 due to its inability to decode rapidly evolving encryption.

The Magic Lantern.
The Magic Lantern was an advanced version of Carnivore. Magic Lantern functioned as a Trojan horse distributed through an e-mail attachment. Immediately after the installation into suspect's computer, the Magic Lantern allowed investigators to monitor all activities conducted on the targeted machine, including keystrokes and web browsing patterns. Furthermore, the software was able to obtain encryption keys remotely from the computers on which it is installed and transmit them to the FBI.

Taking into account Carnivore and the Magic Lantern, one can imagine the theoretical situation where the FBI installs keystroke logging software on millions of hacked computers to find out whether some of the users of those computers are involved in the hacks.

Computer and Internet Protocol Address Verifiers

The Computer and Internet Protocol Address Verifier (CIPAV) used by the FBI became widely known in 2007. The CIPAV is used for collecting data from suspects' computers, such as IP addresses, Ethernet MAC addresses, lists of running programs, default browser types, and last visited URLs. The CIPAV may be distributed through phishing, i.e., requesting the targeted user to click on a link to a website contaminated with the CIPAV.

In 2007, the software allowed the FBI to track down a 15-year-old student who was suspected of sending bomb threats to a high school in Washington. In this case, the CIPAV was installed through a link posted in a MySpace chat room. It is important to note that the U.S. Foreign Intelligence Surveillance Court officially approved the CIPAV as a tool for detecting potential terrorist attacks. Empowered by the amended Rule 41, the FBI may send links to websites containing the CIPAV to thousands of suspected terrorists, a number of which may be innocent individuals.

Network Investigative Technique

Network Investigative Technique (NIT) is a software used by the FBI for detecting digital crimes. Similar to the CIPAV, NIT is a malware which starts sending data to the FBI as soon as it is installed on a targeted computer. The NIT has been recently used to detect visitors of a child pornography website "Playpen." To identify the users of the website, the FBI transferred the seized website to its own servers in the U.S. Afterwards, the FBI started infecting the computers of the users of the website with the NIT tool. The new version of Rule 41 will allow the FBI to install NIT and similar software on popular websites and, thus, infect the computers of thousands of victims of botnet attacks.

Exploiting security vulnerabilities

After the terrorist attack in San Bernardino in 2015, the FBI had the difficult task to access data stored on the iPhone of one of the terrorist. The task was difficult because the insertion of 10 incorrect PIN codes would have led to the deletion of all data stored on the phone. Instead of trying to enter random PIN codes, the FBI decided to collaborate with a group of professional hackers. The hackers sold to the FBI information about iPhone's security flaws. By using that information, the FBI succeeded to collect evidence from the iPhone of the terrorist. Relying on the amended Rule 41, the FBI may purchase information about security vulnerabilities of widely used devices (e.g., iPhone) and hack a large number of such devices remotely.

Conclusion

In this article, we have shown that the approved changes to Rule 41 will allow the FBI to hack an unlimited number of computers with a single warrant. The hacked computers may, for example, be used by victims of botnet attacks. It is not clear whether the innocent users of computers hacked by the FBI will be notified of the hacks. Thus, the amended Rule 41 may seriously compromise the privacy of millions of innocent U.S. and non-U.S. residents.

The threats did not remain unnoticed by U.S. Senators. On 19th of May 2016, Senators Ron Wyden and Rand Paul introduced the Stopping Mass Hacking (SMH) Act, which prevents the changes to Rule 41 from going into effect. In this context, Senator Wyden stated that: "Unless Congress acts before December 1, Americans' security and privacy will be thrown out the window and hacking victims will find themselves hacked again - this time by their own government."

Sources

Apuzzo, M., 'F.B.I. Used Hacking Software Decade Before iPhone Fight', The New York Times, 13 April 2016. Available at http://www.nytimes.com/2016/04/14/technology/fbi-tried-to-defeat-encryption-10-years-ago-files-show.html?_r=0 .

Brandom, R., 'Supreme Court approves legal authority to hack anonymous computers', The Verge, 29 April 2016. Available at http://www.theverge.com/2016/4/29/11536348/supreme-court-approval-fbi-anonymous-hack .

'Child Porn Sting Goes Global: FBI Hacked Computers in Denmark, Greece, Chile', Motherboard, 22 January 2016. Available at https://motherboard.vice.com/read/child-porn-sting-goes-global-fbi-hacked-computers-in-denmark-greece-chile .

'Cops arrest teen for hack and leak of DHS, FBI data', FoxNews.com, February 2016. Available at http://www.foxnews.com/politics/2016/02/13/cops-arrest-teen-for-hack-and-leak-dhs-fbi-data.html .

Gibbs, S. 'FBI reportedly paid professional hackers to gain access to San Bernardino iPhone – report', The Guardian, 13 April 2016. Available at https://www.theguardian.com/technology/2016/apr/13/fbi-reportedly-paid-professional-hackers-gain-access-san-bernardino-iphone .

'In a First, Judge Throws Out Evidence Obtained from FBI Malware', Motherboard, 20 April 2016. Available at https://motherboard.vice.com/read/in-a-first-judge-throws-out-evidence-obtained-from-fbi-malware.

Lynch, D. J., 'US justice department seeks to expand FBI's hacking powers', Financial Times, 25 April 2016. Available at http://www.ft.com/intl/cms/s/0/892545e2-08bb-11e6-b6d3-746f8e9cdd33.html .

Lyngaas, S., 'Senators seek to block expanded hacking powers for FBI', FCW.com, 20 May 2016. Available at https://fcw.com/articles/2016/05/20/hacking-fbi-block.aspx .

'Mobster's Son Pleads Guilty After FBI Taps Into Computer', Los Angeles Times, 1 March 2002. Available at http://articles.latimes.com/2002/mar/01/news/mn-30499 .

Nakashima, E., 'FBI paid professional hackers one-time fee to crack San Bernardino iPhone', The Washington Post, 12 April 2016. Available at https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html .

Prupis, N., 'Supreme Court Quietly Approves Rule to Give FBI 'Sprawling' Hacking Powers', CommonDreams, 29 April 2016. Available at http://www.commondreams.org/news/2016/04/29/supreme-court-quietly-approves-rule-give-fbi-sprawling-hacking-powers .

'Second Judge Argues Evidence From FBI Mass Hack Should Be Thrown Out', Motherboard, 27 April 2016. Available at http://motherboard.vice.com/read/second-judge-argues-evidence-from-fbi-mass-hack-should-be-thrown-out .

Sullivan, B., 'FBI software cracks encryption wall', NBC News, 20 November 2001. Available at http://www.nbcnews.com/id/3341694/ns/technology_and_science-security/t/fbi-software-cracks-encryption-wall .

'The Global Black Market Prices', TrendMicro. Available at http://www.trendmicro.com/vinfo/us/security/special-report/cybercriminal-underground-economy-series/global-black-market-for-stolen-data/#section-2 .

Thomas, K., 'Nine bad botnets and the damage they did', Welivesecurity, 25 February 2015. Available at http://www.welivesecurity.com/2015/02/25/nine-bad-botnets-damage/ .

Thomson, I., 'FBI: Er, no, we won't reveal how we unmask and torpedo Tor pedos', The Register, 29 March 2016. Available at http://www.theregister.co.uk/2016/03/29/fbi_tor/ .

'US Supreme Court approves expanded hacking powers', BBC, 29 April 2016. Available at http://www.bbc.com/news/technology-36169019 .

Yandron, D., 'Supreme court grants FBI massive expansion of powers to hack computers', The Guardian, 29 April 2016. Available at https://www.theguardian.com/technology/2016/apr/29/fbi-hacking-computers-warrants-supreme-court-congress .

Zetter, K., 'Everything we know how the FBI hacks people', Wired, 15 May 2016. Available at https://www.wired.com/2016/05/history-fbis-hacking/ .

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Co-Author

Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.