FBI admits it uses hacker tools to investigate crimes

It's been keeping software security flaws secret to keep tabs on suspects. That could end up making some members of the public less safe.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
Enlarge Image

The FBI acknowledged to The Washington Post that it uses hacking tools called "zero days" to track down criminals.

Jon Hicks/Corbis

If the FBI had to choose between telling you about a security hole on your computer or using it to snoop on bad guys, guess what? You'd be left open to hackers.

And apparently, that's been the case for a while.

The agency confirmed to The Washington Post on Wednesday that FBI agents use special hacking code to take advantage of known holes in software and further their investigations. They'll continue using these so-called zero-day exploits, but now there could be further scrutiny of the practice.

The exploits are controversial, and using them involves a trade-off that could end up making some members of the public less safe. So what exactly are these tools, and what does it mean that the FBI uses them?

Do you want to know a secret?

Zero-day exploits take advantage of flaws in common commercial software often used by the general public. To stay effective, the FBI has to use these exploits without telling the software manufacturers there's a problem with their products.

The flaws go unfixed then, leaving people vulnerable to hacks not just from law enforcement, but from cybercriminals as well.

"What is the greater good?" FBI official Amy Hess asked the Post. "To be able to identify a person who is threatening public safety?" Or to protect people from being hacked by patching software holes? Hess is the bureau's executive assistant director for science and technology.

Everybody else is doing it, so why can't we?

Zero-day exploits are hard to discover and expensive to buy, so experts say the hackers using them tend to be from organized crime rings or state-sponsored hacking groups.

Legitimate organizations can buy the exploits from security researchers who develop them based on flaws found in software, but it's a bit of a cloak-and-dagger affair, according to journalist Kim Zetter's book "Countdown to Zero Day." Security companies that have admitted to selling zero-day exploits to governments have suffered scorn from their peers in the cybersecurity industry.

Handing an exploit to a government buyer and letting the flaw remain unpatched leaves an opening for hackers to implant malicious software on computers. Such malware can collect banking information and create networks of hacked computers attackers can use on big targets like financial institutions and foreign governments.

Who else uses these exploits? Try the National Security Agency. It's not surprising, then, that the FBI also takes advantage of them. The difference is that the NSA is responsible for foreign spying, and the FBI investigates crime in the US, which means the government is hacking its own citizens.

Somebody's watching me

So the FBI's use of zero days is out in the open. What's next? Expect more discussion of what kinds of warrants the FBI should get to use the tools.

Privacy advocates warn that federal judges don't all understand the power of zero-day exploits, and so oversight on government hackers is too weak. It's the same argument that's arisen over the use of phony cell phone towers, often called Stingrays.

Police use Stingrays to collect all the phone numbers in a given area. A recent set of guidelines from the Department of Justice requires federal law enforcement to clear a higher bar to get permission from a judge to use Stingrays.

Andrew Crocker, an attorney at the Electronic Frontier Foundation, says the first step is finding out what the government's policy for using zero days is to begin with. He has sued to find out and has so far won a redacted version of the policy, which applies to the NSA as well as the FBI, he said. Nonetheless, he said the government might have a good reason for using a hacking tool.

"I don't think that we have ever said that they should never do this," Crocker said. Rather, he said it's about "making sure that this is being done in a way that makes sense from the public's point of view."

Correction, December 11 at 9:35 a.m. PT: This story has been updated with the correct spelling of Andrew Crocker's name.