For First Time Ever, FBI Acknowledges Use Of Zero-Day Software Exploits

0
32

The head of the FBI’s science and technology division just admitted what no other FBI official has ever acknowledged –  that the FBI sometimes exploits “zero-day” vulnerabilities to locate and apprehend criminals.

Amy Hess, who is the FBI’s executive assistant director of the science and technology division, oversees the FBI’s Operational Technology Division (OTD). The Washington Post published a profile on Hess in its Tuesday edition. In the article, Hess touched upon the use of zero-days, which are attack codes that exploit vulnerabilities in products that remain unpatched. In most cases, the vulnerabilities are unknown to the organization or company that designed the product.

The article, written by reporter Ellen Nakashima, also discusses the controversial issue of the FBI’s use of stingrays, which are cell site simulators that mimic cellphone towers in order to elicit signals from mobile phones in a specific area, including those from innocent civilians. The FBI has never offered up any information about its use of stingrays, and it has gone so far as to make sure local and state law enforcement sign non-disclosure agreements.

Hess, however, is adamant that the FBI never imposes gag orders on local police. Moreover, she said that the FBI has no objection to revealing the use of the tool. She notes that it is the  “engineering schematics” that the FBI wants protected.

Another group in the FBI that remains mysterious is the OTD’s Remote Operations Unit. In that unit, engineers and technicians with a warrant hack computers to identify suspects.

Privacy advocates worry that in order to conduct its computer hacks, the FBI uses “zero-day” methods that utilize software flaws to its advantage, and that those flaws are not disclosed to the maker of the software. They argue that by doing so, the FBI makes consumers using the software vulnerable.
Hess claimed that the trade-off is something the FBI considers. “What is the greater good – to be able to identify a person who is threatening public safety? Or – to alert software makers about the bugs in their products. How do we balance that? That is a constant challenge for us.”

Stay Connected