updated 01:14 pm EDT, Fri August 2, 2013
Exploits, malware, tools purchased by FBI for remote surveillance hacks
The Federal Bureau of Investigation is able to listen into and record conversations through microphones connected to computers, as well as through Android smartphones, according to a report. The bureau is said to have used hacking tools, including spyware and other malware, that it has purchased from individuals and hacker collectives to gain access to mobile devices, in order to eavesdrop.
The report by the Wall Street Journal claims that the FBI uses these hacking tools under court orders, in order to intercept communications that cannot normally be wiretapped. The process, known as "going dark" by law enforcement, not only uses bought hacking tools but also those of the FBI's own creation. The FBI "hires people who have hacking skill, and they purchase tools that are capable of doing these things," a former agency official within the FBI's cyber division told the report, though the source stresses that such surveillance methods are used when "you don't have any other choice."
The extent of intrusions and methods is largely unknown, though there have been instances where they have surfaced. A keylogger was installed on a mobster's computer in 2001 in order to gain a password used to protect a document, with defendant Nicodemo Scarfo Jr. later being convicted. The methods used are also not restricted to online attacks over e-mail or malicious URLs, as it is claimed that in some cases FBI technicians have gained physical access to offline or well-protected computers, installing malicious software using a USB thumb drive.
The FBI has a history of technology-based surveillance. It has also previously asked Internet companies to provide surveillance backdoors, stands to benefit from CISPA, and is also involved in the ongoing PRISM scandal alongside the NSA. While PRISM is effectively the ongoing collection of online and telecommunications data, the monitoring of individuals directly through notebooks and smartphones is only performed on a case-by-case basis, and extremely sparingly.
Civil-liberties organizations believe that the hacking tools could be misused by bureau staff, with the American Civil Liberties Union asking for a debate on possible legal guidelines for the practice. "People should understand that local cops are going to be hacking into surveillance targets," said principal ACLU technologist Christopher Soghoian, who will be talking at DefCon later today about the law enforcement hacker tool industry.
Senior counsel at Perkins Coie LLP Mark Eckenwiler states that search warrants are required to retrieve files from a computer, and that ongoing surveillance would require a similar strict standard of adherence, similar to that of wiretaps. Eckenwiler, previously an authority on federal criminal surveillance law for the Justice Department, also suggests that the requirements from a court would be lower for metadata-based surveillance, which would usually consist of information that certain parties communicated but not what the messages were about, especially if done without physical access to the system.
While the report mentions Android smartphones, it is not clear if anything similar is being orchestrated on iOS devices, though this is unlikely. Operating systems of notebooks were also not disclosed in the story.