FBI Spies on Suspected Criminals by Hacking Into Computers

What's This?

By Lorenzo Franceschi-Bicchierai2013-08-03 17:59:38 UTC

LAS VEGAS — To monitor and surveil suspected criminals, the Federal Bureau of Investigation hacks into their computers and smartphones, installing malware and so-called spyware on those devices. For these operations, the FBI uses the services of contracting companies; information that has come to light mainly due to research performed on LinkedIn.

The feds are increasingly using these tactics, which are typically employed by cybercriminals, to access a target's communication when they don't have another lawful way of doing it, as first reported by The Wall Street Journal . It's the FBI's answer to what they call "going dark" — when certain communications can't be easily wiretapped.

See also: Is It the Dawn of the Encryption App?

"There will always be very sophisticated criminals who use communications modalities that are virtually impossible to intercept through traditional means," FBI's Valerie Caproni said at a congressional hearing in 2011. "The government understands that it must develop individually tailored solutions for those sorts of targets."

For Christopher Soghoian, principal technologist at the American Civil Liberties Union, when Caproni says "tailored solutions," she actually means something else.

"What she means is hacking and malware," Soghoian said in a presentation on the topic at the hacking conference Def Con on Friday.

The arm of the FBI responsible for these kind of operations is the Remote Operations Unit (ROU). And to get access to a potential criminal's computer, the unit develops its own hacking and spying tools, but sometimes it gets them from contracting companies, who send employees to help the feds in their operations.

It was Soghoian himself who noticed the name of that that unit in a heavily redacted document (.PDF) obtained by the digital rights advocacy group Electronic Frontier Foundation. That unit piqued his curiosity and he spent six months researching it online, mainly using open source intelligence, i.e., Google and LinkedIn. His online research is what led to the WSJ scoop.

"What I found is that the FBI is in the hacking business too," Soghoian said.

Soghoian first found materials on training seminars for prosecutors that listed the ROU's Unit Chief as a speaker. His name is Eric Chuang. Just by googling his name, Soghoian found a Zoominfo page that described Chuang's job as "lawful computer collection capabilities in support of FBI investigations."

His LinkedIn research also led to more information. Specifically, Soghoian found who else is in the hacking business along with the FBI: "A couple" of companies claim to supply people to the FBI for these operations.

"Contractors, like everyone else, they want to keep their resume up to date, in case they get a new job," explained Soghoian to a large crowd packed inside the Penn and Teller Theater at the Rio Hotel. "And they list things in their resume, maybe things they shouldn't be listing, revealing what they did at their old job."

Soghoian quoted from the profiles (that appear to have been removed or hidden) of two employees of James Bimen Associates, a government contractor based in Virginia. "Worked with FBI case agents with our surveillance imagery software that is currently installed on criminal subject machines in the field," read one, according to Soghoian.

It's with the help of these contractors that the FBI gets access to computers. Access that is sometimes gained via email phishing attacks that lead a suspect to install malware on their computer. That malicious software then allows the FBI to turn on the microphone or camera on his or her smartphone and laptop. Other times, according to officials who spoke to the WSJ, they use zero-day exploits, security holes that haven't been patched yet.

Mark Eckenwiler, a former federal prosecutor and surveillance law expert, told the WSJ that these techniques might be illegal without a search warrant, unless they only concerned metadata, in which case a lower standard court order might be enough.

Regardless of the current law, Soghoian notes that the hacking operations have been performed in the dark, without public discussion.

"There hasn't been a debate in Congress about the FBI getting into the hacking business, there hasn't been any legislation giving this power, this just sort of happened out of nowhere," Soghoian said. "Had it not been for the sloppy actions of a few contractors eagerly updating their LinkedIn profiles, we would've never known about this."

Image: Alex Wong/Getty Images

Topics: Def Con, FBI, hacking, privacy, surveillance, U.S., US & World