Cyber & Technology

Examining an FBI Hacking Warrant

By Nicholas Weaver
Wednesday, March 16, 2016, 8:11 AM

The FBI regularly hacks systems, as the primary method they employ to get around Tor and other anonymity techniques. The FBI calls its "Network Investigatory Techniques" or NIT. As a technologist, I actually endorse warrant-based FBI hacking. FBI hacking doesn't add weaknesses to the systems—in sharp contrast to backdoors—and the search conducted by a NIT is constrained by the NIT's code.

Examining a warrant, such as the infamous Playpen case where the FBI used a NIT to hack hundreds of computers, the warrant itself appears reasonable: it particularly describes what it will search for and who it will search. Although the set of users affected is large, the warrant states particularized probable cause for every single search it authorizes. This particular warrant has survived at least one motion to dismiss.

But this otherwise reasonable warrant has a major problem. As we’ve seen with Stingrays and other technical means, the government’s choice of language describing the technique is deliberately deceptive.

How does the FBI describe the NIT's operation?

In the normal course of operation, websites send content to visitors.  A user's computer downloads that content and uses it to display web pages on the user's computer.  Under the NIT authorized by this warrant, the TARGET WEBSITE, which will be located in Newington, Virginia, in the Eastern District of Virginia, would augment that content with additional computer instructions. When a user's computer successfully downloads those instructions from the TARGET WEBSITE, located in the Eastern District of Virginia,the instructions, which comprise the NIT, are designed to cause the user's "activating" computer to transmit certain information to a computer controlled by or known to the government. That information is described with particularity on the warrant (in Attachment B of this affidavit), and the warrant authorizes obtaining no other information. The NIT will not deny the user of the "activating" computer access to any data or functionality of the user's computer.

The problem with the warrants language is the "instructions" in the NIT are not normal. The warrant implies that the NIT is using normal behavior of the user's system, but in reality the NIT must first exploit the user's computer in order to inject the NIT payload which conducts the actual search. If you used a NIT against an FBI computer, for example, they’d prosecute you for “exceeding access” under the Computer Fraud and Abuse Act.

A more accurate description would read:

In the normal course of operation, websites send content to visitors. A user's computer downloads that content and uses it to display web pages on the user's computer. The program which interprets this content can contain vulnerabilities, conditions where the content enables the web site to issue direct commands to the user's computer. The information needed to take advantage of this condition is commonly called an "exploit." The exploit can have an associated "payload", a set of commands which the exploit causes the user's computer to execute.

Under the NIT authorized by this warrant, the TARGET WEBSITE, which will be located in Newington, Virginia, in the Eastern District of Virginia, would augment that content with additional computer instructions. When a user's computer successfully downloads the instructions containing the exploit from the TARGET WEBSITE, the exploit will cause the user's computer to download the payload which comprises the remaining portion of the NIT. The exploit is specifically engineered to not intentionally deny the user of the "activating" computer access to any data or functionality of the user's computer.

The payload itself is designed to cause the user's activating computer to transmit certain information to a computer controlled by or known to the government. That information is described with particularity on the warrant (in Attachment B of this affidavit), and the warrant authorizes obtaining no other information and the payload as delivered to the user's computer is not capable of collecting any other information. After the payload completes the search it removes both itself and the exploit from the user's computer.  The payload is specifically engineered to not intentionally deny the user of the "activating" computer access to any data or functionality of the user's computer.

This kind of a description would make clear that the NIT itself is designed to exploit the target, but that the NIT is constrained what it searches for and does not intend to disrupt the user's computer (though such disruptions may occur anyway). A sensible magistrate would likely not change their ultimate decision based on this, more honest description of what the FBI is doing with their NIT.

There are other potential problems. Notably, there is no user list—although it is easy to argue that this NIT warrant does describe that there is probable cause for every user targeted. The request also obscures the fact that it requires searching outside the jurisdiction under Rule 41 (an issue which will no longer apply if the proposed changes are approved).

It is corrosive for the FBI, as it seeks authorization to hack hundreds of computers, to effectively deceive the court about its intentions. And here, an honest warrant would work just as easily as the misleading one. It begs the question: Is it simply part of the FBI's DNA to attempt to deceive the court?