The FBI or NSA have the resources to hack the device yourself, but often give this job to outsource to third-party hackers and companies that operate in the “gray market”.
In official statements to the public and the U.S. Congress the FBI has repeatedly provided inflated data on the number of encrypted mobile devices that are the subject of investigation of criminal cases. This was necessary in order to justify the need for measures against the so-called problem of Going Dark when the law enforcement agencies are unable to access information due to excessive, in their opinion, encryption.
In particular, in January 2018 the Director of the FBI, Christopher ray was talking about 7800 smartphones that Agency staff are unable to access over the past seven months 2017 edition of the Washington Post, citing its sources assured that the number is greatly exaggerated, in fact, the FBI has failed to crack from 1 thousand to 2 thousand devices.
After that, the FBI acknowledged its mistake, saying the following: “Error counting led to a significant overstatement of the number of mobile devices. Going Dark remains a serious problem for the FBI and other Federal, state, local and international law enforcement agencies. The FBI will continue the solution of this problem, which will provide law enforcement access to evidence of criminal activity in accordance with the law”, – reads the statement of the FBI.
In most cases, to crack an encrypted device is possible by using the vulnerability of zero-day (0-day) – unpatched vulnerabilities and malware, against which not yet developed protective mechanisms.
Agencies like the FBI have the necessary skills and resources to hack the device itself, but they also give the job to outsource to third-party hackers and companies that operate in the “gray market”, where government and corporate customers offering hacking services, including those associated with the exploitation of vulnerabilities “zero day”.
The FBI has increased pressure on technology companies to provide the Agency access to encrypted devices if necessary. In 2016 there was a loud such a case, when the FBI demanded Apple to unlock an iPhone that belonged to one of the shooters in San Bernardino. The company refused to comply with the requirement, in the end the FBI had to find other ways of hacking device. In the end, the FBI paid about $1.3 million company with “gray market” for the exploit – a reference to “hole” in the operating system, which allows you to access the device.
In 2012 it became known that the national security Agency USA (NSA) bought the data about the vulnerabilities of the Internet sites have a private French company VUPEN. The contract between VUPEN and the NSA for a period of one year was concluded September 14, 2012 According to media reports, the NSA allocated $25.1 million for the purchase of exploits in 2013
Earlier, the French company VUPEN has cooperated with NATO representatives. According to representatives of the company, they really sell your information to military and intelligence agencies, however, work only with “credible democratic countries.” After the company closed, but in 2015, continued on under the name of Zerodium.
While Vupen mainly engaged in the development of their own exploits, Zerodium not only has its own team of developers, but also acquires exploits and vulnerabilities from third parties. Representatives Zerodium often with a “stock” for information security researchers, on the while raising the payouts for those bugs or otherwise. For example, in September last year Zerodium offered a million dollars for bugs in Tor Browser.
This time company representatives announced that by March 31, 2018 will be increased the payout for a vulnerability allowing for local privilege escalation in Linux. In normal circumstances, an exploit for a 0-day vulnerability would have brought to its author $30 thousand, but by the end of March the rate increased to $45 thousand
For Federal agencies, there is one major incentive for the use of “gray market”: it allows them to circumvent “the process of documenting vulnerabilities” (Vulnerabilities Equities Process, VEP), which determines whether information about the vulnerability, discovered by government employees or contractors, publications.
“Government institutions are required to classify and/or transfer for further processing in accordance with privacy policies of a Department or Agency of vulnerabilities discovered by government agencies or external organizations that are government contractors, as well as detected and provided by private individuals and companies and/or foreign allies, U.S. government agencies prior to the beginning of the documentation process”, – the document says.
In the document there is a loophole: the government do not need to follow the VEP, if information about the vulnerability of “zero day” is purchased under the condition of contractual restrictions, such as, for example, non-disclosure agreements. Thus, the use of “gray” hackers allows the FBI to hold the information about the vulnerability and use it in the future.
Many vulnerabilities do not lose their relevance for very long. In 2017 appeared a study published by the RAND Corporation, called “Zero Days, Thousands of Nights”. For this analysis, the experts examined more than 200 zero-day vulnerabilities and exploits for them, collecting data for the last 14 years, i.e. from 2002 to 2016. In particular, this list includes exploits for Microsoft platforms and Linux, as well as attacks against Mozilla products, Google and Adobe.
The first and one of the most interesting figures in the report is the period of life of the average 0-day vulnerabilities and exploits for it. It turned out that zero-day vulnerabilities live on average 6.9 years, i.e. 2521 day. A quarter of vulnerabilities remain in the status of 0-day only half of the year, while another quarter do not lose their relevance even after nine and a half years.
