It was revealed this week that a foreign cyberweapons dealer sold the Federal Bureau of Investigation spyware that came preinstalled with a backdoor giving the developer remote access to the program.
The software, Remote Control Systems, was developed by the Milanese security firm Hacking Team, which was compromised last Sunday in a massive 400-GB data leak. RCS provides the FBI, along with numerous foreign agencies, the ability to attack, infect, and monitor targeted computers, according to the developer. It can also be used to remotely activate cameras and microphones, as well as intercept unsecured Skype calls and other voice-over-IP conversations.
After Hacking Team was itself hacked, the company asked its customers to shut down operations, according to Motherboard’s Lorenzo Franceschi-Bicchierai; however, Hacking Team was apparently fully capable of terminating operations on its own. “The company, in fact, has ‘a backdoor’ into every customer’s software, giving it ability to suspend it or shut it down—something that even customers aren’t told about,” wrote Franceschi-Bicchierai.
“It’s one thing to have dissatisfied customers. It’s another to have dissatisfied customers with death squads,” wrote American cryptographer Bruce Schneier, likely referring to some of Hacking Team’s more disreputable customers. “I don’t think the company is going to survive this.”
While examining the company’s leaked source code, researchers noted that Hacking Team had “backdoored” its own product, presumably granting them remote access when installed on a foreign device. Had it been discovered, the flaw could have allowed a computer hacker with moderate sophistication to breach the program’s defenses.
This knowledge, revealed only through the actions of a vigilante hacker, did not appear to phase FBI Director James Comey, who on Wednesday pressed Congress to grant law enforcement its own backdoor key to America’s online communications. In testimony, Comey described the security afforded to U.S. consumers through encryption as a “real national security problem.”
The FBI spent more than $775,000 on Hacking Team’s software, according to one invoice. In a leaked email, a company spokesman wrote, “the FBI unit that is using [RSC] seems like a pretty small operation and they have purchased RCS as a sort of back up to some other system they use.”
While access by a foreign company into a system that enables the Bureau to surreptitiously monitor the laptops and smartphones of suspected criminals would ostensibly be viewed as a significant security threat, the same cannot be said for its outlook on software protecting the privacy of law-abiding Americans.
“We are seeing more and more cases where we believe significant evidence resides on a phone, a tablet, or a laptop—evidence that may be the difference between an offender being convicted or acquitted,” Comey told the Senate Judiciary Committee on Wednesday. “If we cannot access this evidence, it will have ongoing, significant impacts on our ability to identify, stop, and prosecute these offenders.”
“We live in a technologically driven society and just as private industry has adapted to modern forms of communication so too have the terrorists,” he later testified before the Senate Select Committee on Intelligence. “Unfortunately, changing forms of Internet communication are quickly outpacing laws and technology designed to allow for the lawful intercept of communication content.”
The confidence Comey has in the ability of the FBI to backdoor consumer products in a secure manner is not shared by everyone, however, including experts at the National Institute of Standards and Technology—the federal agency actually charged with recommending cybersecurity standards.
In late June, NIST formally revised its standards to remove a random number generator long-suspected of containing a National Security Agency backdoor. It was revealed through one of Edward Snowden’s disclosures that NSA had exerted pressure behind the scenes to have the generator, known as Duel_EC_DRBG, adopted in 2006.
“The basic question is, is it possible to design a completely secure system” that then allows the U.S. government exclusive access to encrypted data, Donna Dodson, the agency’s chief cybersecurity advisor told the Washington Post. “There’s no way to do this where you don’t have unintentional vulnerabilities.”
“NIST is one of the few parts of the government that employs technical experts,” Christopher Soghoian, principal technologist at the American Civil Liberties Union, told the Daily Dot. “When NIST’s cybersecurity people say this is a bad idea, I think we should listen.”
Concerns over the FBI’s proposal vary, but dissenting security experts agree that the main problem is not in the agency’s motivation—the FBI should, after all, have access to terrorists’ communications—but in the technical merit of its plan. The problem is, “it’s not feasible,” says Soghoian. “It’s a fantasy proposal and the reason they can make it with a straight face is because they don’t know anything about technology and most of the people they’re speaking to don’t know anything about it either.”
The idea that the FBI, or the NSA, can maintain secret a key that unlocks American’s secured conversations without it being compromised by hackers or foreign agents is ludicrous, says Soghoian. It’s a theory that might work in the classroom, he adds, but not in practice. “People are going to have to use it and they’re going to be using it on a regular basis. It’s going to have to be accessible… No technical expert would ever build this into their own system voluntarily.”
Photo via Bryan Viers/Flickr (CC BY ND 2.0)