In February, the FBI was ordered to provide the full malware code used to hack visitors of a dark web child pornography site to the defense in an affected case. Then the Department of Justice pushed back, and asked the judge to reconsider the decision.
But experts feel the FBI may be sitting on something much worse than a tool used to just catch suspected criminals: a vulnerability in the Firefox browser, a piece of software used by hundreds of millions of people all over the world.
"The Tor Browser is simply Firefox running in a hardened mode," Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley, wrote on the Lawfare blog last week. Because the site the FBI took over was on the dark web, visitors typically had to use the Tor Browser to access it.
"While many Firefox exploits will not work against the Tor browser—particularly those relying on Flash—the converse is not necessarily true. To the contrary, any Tor browser exploit is almost certainly a Firefox exploit too," Weaver added.
In February 2015, the FBI seized child pornography site Playpen, and for 13 days ran it from a government facility in Virginia. During this time, the agency deployed what it calls a network investigative technique (NIT), or in other words, a hacking tool.
According to testimony provided by FBI Special Agent Daniel Alfin, "The NIT was deployed against users who accessed posts in the 'Preteen Videos—Girls Hardcore' forum because users accessing posts in that forum were attempting to access or distribute or advertise child pornography."
In a more recent affidavit, in response to claims from a technical expert held by the defense, Alfin wrote that, "As used here, a computer 'exploit' consists of lines of code that are able to take advantage of a software vulnerability," and added that "an 'exploit' allowed the FBI to deliver a set of instructions—the NIT—to Michaud's computer." Michaud is one of at least 137 people charged with child pornography offenses in the US as part of the investigation into Playpen, codenamed "Operation Pacifier."
"The FBI's strenuous efforts to shield their exploit from disclosure to me suggests that it likely still works."
The specifics behind NITs have been disclosed in the past: in a 2012 investigation also targeting suspected child pornography visitors on the dark web, the FBI used a Flash applet from the popular hacking suite Metasploit.
But this case is seemingly different, with the Department of Justice fighting to keep details of the technique used on Playpen under wraps, even though the code would only be provided to the defense and under a protective order.
"The FBI's strenuous efforts to shield their exploit from disclosure to me suggests that it likely still works," Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an encrypted phone call. (Soghoian has been called as an expert by the defense in an affected case.)
If the vulnerability used to hack visitors of Playpen does affect Firefox as well as the Tor Browser, and it has yet to be plugged, "The government is essentially choosing to keep hundreds of millions of people vulnerable in case a few of them turn out to be criminals later," he said. Indeed, software vulnerabilities can be discovered by other parties, such as researchers, foreign governments, or criminals.
In an NSA presentation published by The Guardian in 2013, the presentator indicated that the agency needed a "native Firefox exploit" to target Tor Browser users, because of the add-ons bundled with the software, and the general security advice given to users.
But it's important to stress that it is not totally clear whether the FBI did use a zero-day vulnerability. There is the chance that the Department of Justice is trying to avoid revealing extra information about an already public issue or technique, although it's not immediately clear why that would be the case.
Using its NIT, the FBI obtained over a thousand IP addresses for US-based users of Playpen, according to a plea agreement in an affected case. A Europol presentation uncovered by Motherboard claims the agency has generated 3,229 cases as part of Operation Pacifier, including 34 in Denmark. Motherboard also found cases in Chile, Greece and the UK, and potentially related arrests in Turkey and Colombia. An average of 11,000 unique visitors accessed Playpen each week, according to court documents.
"We are in discussions with Mozilla to find solutions to the problem," Kate Krauss, spokesperson for the Tor Project, told Motherboard in an email.
A spokesperson from Mozilla said, "We are always looking for potential vulnerabilities in Firefox but, without more information, we cannot investigate whether the FBI used a specific vulnerability. When we become aware of vulnerabilities, we aim to fix them in a timely fashion."
"The Tor Browser is based on Firefox but also has some Tor-specific code. As said, without more information, we have no way of knowing whether a specific issue in the Tor Browser also affects Firefox," the spokesperson added.
Mozilla said it has never received a vulnerability disclosure from the FBI, and the Tor Project said it has not received a disclosure from any US agency since March 2015, when the Playpen operation ended.
"I cannot comment at all on potential vulnerabilities," Christopher Allen, a spokesperson for the FBI, told Motherboard in an email.