The FBI or the NSA possess the necessary resources to hack into devices on their own, but often outsource this work to outside hackers and companies that work in the gray market.
In official statements to the public and the US Congress, the FBI has repeatedly provided inflated data on the number of encrypted mobile devices involved in criminal investigations. This was necessary in order to justify the need to take measures against the so-called Going Dark problem, when law enforcement agencies cannot gain access to information due to unnecessary, in their opinion, encryption.
In particular, in January 2018, the FBI Director Christopher Ray spoke of 7,800 smartphones that the agency could not access in the last seven months of 2017. The Washington Post, citing its sources, assured that this number was greatly exaggerated, on in fact, the FBI failed to crack between 1 thousand and 2 thousand devices.
After that, the FBI representatives admitted their mistake, saying the following: “An error in the counting program led to a significant overestimation of the number of mobile devices. Going Dark remains a serious problem for the FBI, as well as other federal, state, local and international law enforcement agencies. The FBI will continue to address this issue, which will provide law enforcement with access to evidence of criminal activity in accordance with the law, ”the FBI said in a statement.
In most cases, it is possible to crack encrypted devices using the 0-day vulnerability — unresolved vulnerabilities, as well as malicious programs against which defense mechanisms have not yet been developed.
Agencies like the FBI have the necessary competencies and resources to crack devices on their own, but they also outsource this work to third-party hackers and companies that work in the “gray market”, where they offer hacking services for government and corporate clients, including those related to exploitation of zero-day vulnerabilities.
The FBI is putting increasing pressure on technology companies to give the agency access to encrypted devices if necessary. In 2016, there was the loudest case when the FBI demanded that Apple unlock the iPhone, which belonged to one of the shooters in San Bernardino. The company refused to comply with the requirement, as a result, the FBI had to look for other ways to hack the device. As a result, the FBI paid about $ 1.3 million to the gray market company for an exploit — an indication of a “hole” in the operating system with which you can access the device.
In 2012, it became known that the US National Security Agency (NSA) bought data on the vulnerabilities of websites from a private French company VUPEN. A one-year contract between VUPEN and the NSA was concluded on September 14, 2012. According to media reports, the NSA allocated $ 25.1 million to purchase exploits in 2013.
Previously, the French company VUPEN collaborated with NATO representatives. According to the representatives of the company, they do sell their information to the military and special services, but they only cooperate with «trustworthy democratic countries.» After the company closed, but in 2015 it continued to operate under the name Zerodium.
While Vupen was primarily engaged in developing its own exploits, Zerodium has not only its own development team, but also acquires exploits and vulnerabilities from third parties. Representatives of Zerodium often arrange a kind of «action» for information security researchers, temporarily increasing the size of payments for certain bugs. For example, in September last year, Zerodium offered a million dollars for bugs in Tor Browser.
This time, company representatives announced that by March 31, 2018, payments for detecting vulnerabilities that would allow for local privilege escalation in Linux would be increased. Under normal circumstances, an exploit for such a 0-day vulnerability would have brought its author $ 30 thousand, but by the end of March the “tariff” had grown to $ 45 thousand.
There is one significant incentive for federal agencies to use the gray market: it allows them to circumvent the Vulnerabilities Equities Process (VEP), which determines whether information about vulnerabilities discovered by government officials or its contractors is subject to publication.
“Government agencies are required to classify and / or transfer for further processing, in accordance with the secrecy policies of a particular department or agency, vulnerabilities discovered by government organizations or third-party organizations that are contractors of government organizations, and also discovered and provided by private individuals and companies and / or foreign government allies US organizations before the documentation process begins, ”the document says.
There is a loophole in the document: the government does not have to follow the VEP if information about the “zero day” vulnerability is purchased under contractual restrictions, such as, for example, non-disclosure agreements. Thus, the use of gray hackers allows the FBI to keep information about the vulnerability and use it in the future.
Moreover, many vulnerabilities do not lose relevance for a very long time. In 2017, a study published by RAND Corporation called “Zero Days, Thousands of Nights” appeared. To conduct this analysis, experts examined more than 200 zero-day vulnerabilities and exploits for them, collecting data for the last 14 years, that is, from 2002 to 2016. In particular, this list includes exploits for Microsoft and Linux platforms, as well as attacks against products of Mozilla, Google and Adobe.
The first and one of the most interesting numbers in the report is the lifetime of the average 0-day vulnerability and exploits for it. It turned out that zero-day vulnerabilities live on average 6.9 years, i.e. 2521 days. At the same time, a quarter of vulnerabilities retain 0-day status for only a year and a half, while another quarter do not lose relevance even after nine and a half years.