FBI ‘Can Eavesdrop Via Android Phones, Laptops’

The US’ Federal Bureau of Investigation (FBI) is expanding its use of hacking tools, including systems that allow it to remotely activate the microphones in smartphones and laptops in order to record conversations, according to a Thursday report by the Wall Street Journal.

The technology used by the FBI includes capabilities that allow it to eavesdrop via smartphones running Google’s Android software, the report said, citing an unnamed former US official. Google declined to comment.

Growing use

The FBI’s use of hacking tools under court orders has grown with the proliferation of new communications technologies, the report said, citing unnamed people familiar with the FBI’s programmes. The FBI’s hacking efforts are led by a group called the Remote Operations Unit, the report said. The FBI declined to comment.

The FBI’s efforts are more targeted than the mass data acquisition carried out by the NSA under the recently disclosed PRISM programme.

The FBI uses both hacking tools developed internally and tools purchased from the private sector, according to the report. Law enforcement officials reportedly deploy the hacking tools using techniques usually associated with criminals, for example distributing spyware through links in emails or web pages and exploiting software vulnerabilities in order to implant code on a user’s system.

The bureau reportedly uses such techniques in cases related to organised crime, child pornography or counterterrorism, but avoids such methods when investigating hackers, in order to avoid the possibility of the techniques being discovered and publicised.

The use of hacking techniques by law enforcement has been publicly disclosed in a few cases. For example, earlier this year court documents in a Texas identity-theft case revealed a federal warrant application to use software that would extract files from a user’s computer and use the system’s camera to take pictures, according to the Journal report. That application was denied in part due to the judge’s privacy concerns.

The FBI has been using software to gather data such as a computer’s IP address, lists of programs running and other data since at least 2005, according to documents disclosed in 2011 and cited in the report. Such tools were reportedly used in a 2007 case to trace a person who was later convicted of emailing bomb threats in the state of Washington.

Oversight

While the use of such technology requires permission from a court, such as a search warrant or a wiretap order, civil liberties advocates argue that the FBI’s cyber-surveillance activities do not have sufficient oversight.

“The FBI got into the hacking business without a public Congressional hearing or passage of any law clearly permitting them to do so,” said Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union in a Friday Twitter post. “Hacking is only a crime when you do it. When the FBI does it, it is called law enforcement.”

He confirmed comments related in the Journal’s report that FBI access to metadata such as IP addresses and the “to” and “from” lines in emails would require a court order under a less strict standard than a search order or wiretap. However, an official at the US Justice Department pointed out that in the 2007 case law enforcement agents sought a search warrant even though only metadata was collected.

Soghoian, who will present a talk on the issue of government hacking at the DefCon security conference in Las Vegas on Friday, suggested that in some cases the FBI uses zero-day flaws – which can be bought from private-sector firms such as French outfit VUPEN – to install spyware on users’ systems.

“The next time a zero-day is made public remember the FBI has probably been using it for several weeks or months,” he said in a Twitter post.

Privacy fight

In other cases government agents have secretly gained physical access to suspects’ machines in order to install spyware using a USB drive, the Journal reported, citing a former US official.

Earlier this month the Electronic Frontier Foundation (EFF) warned that Android’s data backup feature could be providing users’ Wi-Fi passwords to agencies such as the NSA and the FBI. The EFF noted that since the feature stores passwords in plain text, Google is obliged to hand over the data to law enforcement authorities if asked.

In March a US court ruled FBI letters demanding citizens’ data went against the first amendment of the US’ constitution. The decision was handed down after an unnamed telecommunications company, represented by the Electronic Frontier Foundation (EFF), contested a National Security Letter (NSL). Such letters are used by the FBI to demand customer data from communications providers without the need for court approval, and prevent any public disclosure that the demands were ever even sent.

Do you know all about IT and the law? Take our quiz.