The developers of a privacy-focused operating system championed by Edward Snowden are scrambling to find out the details of a hack that the FBI used—and Facebook paid for—to unmask a child predator.
Last week, Motherboard revealed that Facebook had paid six figures to a cybersecurity firm to develop a hacking tool that the company then handed to the FBI in 2017. At the time, Facebook and law enforcement had spent years tracking a California man, who went by the name of Brian Kil online. The man, whose real name was Buster Hernandez, was using Facebook to harass and extort teenage girls, forcing them to send nude pictures of themselves, threatening to kill them and muder their friends.
The hacking tool relied on an unknown flaw—also called a zero-day in hacker lingo—in the default video player included in Tails, a well-known Linux-based operating system that’s used by journalists, dissidents, human rights activists, and security-focused users all over the world. For example, Tails is part of the anonymous tip submission system SecureDrop, which is used by dozens of newsrooms all over the world, including VICE.
Tails’ key feature is that all internet traffic gets routed through Tor, a network that encrypts and anonymizes connections, masking the users’ real IP address.
“They should have been notified.”
The exploit funded by Facebook allowed FBI agents to identify the user's real IP address, which then allowed them to identify Brian Kil as Hernandez. Technically speaking, this hack could have been used against activists and other sensitive people by law enforcement or authoritarian governments. Motherboard reported that Facebook did not inform Tails of the exploit, and decided it was OK to use it because Tails was incidentally patching out the exploit as part of an unrelated update.
But Tails developers, as well as privacy and security experts, agree that, update or not, Facebook should have alerted Tails once the FBI operation was over. Three years later, that has not happened yet, and the Tails developers, as well as the makers of the popular media player, called GNOME Videos, said they found out about all this through Motherboard’s article.
“The only way for Tails to be sure that every single aspect of the zero-day is indeed fixed already is to learn about the full details of the zero-day,” a Tails spokesperson said in an email, arguing that it’s possible that the flaw relied on a chain of other flaws that may still be partially unpatched. “Without these full details, we cannot have a strong guarantee that our current users are 100 percent safe from this zero-day as of today.”
Tails said that neither Facebook, the FBI, nor the cybersecurity firm hired by Facebook, has reached out to the developers—even after they reached out asking for an explanation.
Do you work or did you use to work at Facebook? Do you work for the FBI or develop hacking tools for law enforcement? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
The developers of the targeted video player said they haven’t heard from anybody either.
“GNOME was not previously aware of this story, and is not able to guess which vulnerability might have been exploited,” a spokesperson for the GNOME Project, the developers of a free and open source desktop environment and the GNOME Videos player, which are both included in several Linux distributions such as Ubuntu, told Motherboard in an email.
The GNOME spokesperson said that they appreciated Facebook planning to report the vulnerability before discovering it was apparently already fixed, but many people who use their software may still be running an unpatched version. That’s why they expect the FBI or Facebook to contact them to make sure they can alert all users.
“The security of law-abiding users is jeopardized when such vulnerabilities are not disclosed to us in a timely manner,” the spokesperson wrote.
Facebook said they made an effort to reach out to Tails in the last week, and had confirmation from the FBI that this technique would be used for this case only. (The Tails spokesperson said that, as of Thursday, they had not heard from Facebook.)
I asked an FBI spokesperson whether the FBI used the hacking tool funded by Facebook in other cases, whether it still is in possession of it, and whether it submitted it to a government process that determines whether agencies should keep the flaw secret or notify the software makers, technically known as the Vulnerabilities Equities Process or VEP.
“Appreciate you following up, but we still don't have a comment for you,” the FBI spokesperson said.
It’s unclear whether the zero-day flaw that the exploit relied on has been fixed. When they helped develop and paid for it, Facebook realized it was going to be fixed in an upcoming release, so they decided not to alert Tails developers, according to a former Facebook employee who worked on the project.
That’s perhaps beside the point. Should Facebook, the FBI, of the cybersecurity firm, have alerted Tails or GNOME after Buster Hernandez was safely behind bars?
“They should have been notified,” a current Facebook employee, who asked to remain anonymous because they were not allowed to speak to the press, told Motherboard.
According to several privacy and security experts, the answer is a resounding yes as well. In fact, many think Facebook should not have gotten involved in making and paying for the hacking tool in the first place.
”Facebook is out of control at best and is making the world less safe for people who need anonymity to survive.”
“The fact that Facebook or any private company would think they had the right to commission the creation of malware against another software entity is so incredibly arrogant,” said Katie Mossouris, who used to lead the vulnerability research teams at Microsoft and Symantec and is one of the world’s most well-known experts on coordinated disclosure. “Security professionals worth their salt are worried about governments not making the right call when it comes to making decisions in the Vulnerability Equities Process, and we’re all supposed to be fine with that kind of decision resting in Facebook’s hands?”
According to Moussouris, what Facebook did in this case “is more evidence that Facebook is out of control at best and is making the world less safe for people who need anonymity to survive.”
Moussouris used the facepalm emoji when describing how she felt when she read the Motherboard story that revealed Facebook’s role in the hacking of Hernandez.
“I didn’t think a vulnerability disclosure story could possibly horrify me after all these years, but here we are,” she said in an online chat.
Harlo Holmes has been developing tools for journalists and activists for years, and now helps media organizations set up SecureDrop and trains their journalists to use tools such as Tails. Holmes said that Facebook needs to be more transparent as to what the vulnerability was exactly, and what the agreement with the FBI was.
"What was in that contract? Was it a one time use license against this one actor? Or did they just hand it over to the FBI and be like 'now this is in your arsenal now'?" Holmes said in a phone call. “Those are very, very key questions.”
Moreover, she said that it’s hard to understand how Facebook thought it would be OK to help the FBI hack a child molester, while the company is also suing the spyware maker NSO Group for using WhatsApp to help their customers hack targets.
"The hypocrisy is absolutely wild," she said. “More hackers should learn about the ethics of what we do, and this is a textbook example.
Subscribe to our new cybersecurity podcast, CYBER.
This article originally appeared on VICE US.