Sunday, October 14, 2012

FBI surveillance backdoor might be open to hackers


This past May, according to news reports, the FBI lobbied the White House not to oppose a new piece of legislation the FBI's lawyers had drafted.
The proposed law would force companies such as Facebook, Google, Microsoft and Twitter to build "backdoors" into their software so that law-enforcement agencies could eavesdrop on communications.
But privacy advocates say building backdoors into communications software and hardware may create more problems than it solves for law enforcement — and may make the country more vulnerable to cyber attacks.
Hand over the keys
The FBI would neither confirm nor deny the existence of the legislation or its White House visit, but it's something the bureau has nonetheless been asking Congress for.

"It is critically important that we have the ability to intercept electronic communications with court approval," FBI General Counsel Valerie Caproni told a House subcommittee in February 2011. "We confront, with increasing frequency, service providers who do not fully comply with court orders in a timely and efficient manner."
Caproni cited the cases of a South American arms-trafficking ring that used encrypted communications and a pimp who lured underage girls into his prostitution ring through social networking.
The prosecution of both cases, she said, was hampered by the inability of law enforcement to eavesdrop on the suspects.
More recently, Twitter has resisted the New York City Police Department's demands that it turn over records pertaining to its users. Such headaches would be forgotten if the FBI's proposed law were to be passed. 
In December, FBI Director Robert Mueller testified to Congress that there was a real risk of law enforcement "going dark" — losing the ability to intercept communications.
"A growing gap exists between the statutory authority of law enforcement to intercept electronic communications pursuant to court order and our practical ability to intercept those communications," Mueller said.
In other words, the technology now available to criminals, terrorists and ordinary citizens is outstripping the ability of the FBI and other law-enforcement organizations to listen in.
The law as it now stands
The proposed legislation would amend a 1994 law called the Communications Assistance for Law Enforcement Act (CALEA).

CALEA is the reason the phone company can allow police to tap calls at the switching substation, where the calls are routed, rather than have someone install a bug in a house. The law was expanded in 2004 to include broadband Internet providers.
Ever since the Pretty Good Privacy encryption program for email was introduced in the early 1990s, encryption has been widely available to the general public. Encryption used to take up a lot of computing power, but the processing speed of current devices makes it easy.



The Internet-based international telephone-and-video-chat service Skype also encrypts calls, though there are ways to defeat it. Many privacy advocates worry that Microsoft's recent acquisition of Skype means that the government will soon have keys to decrypt its communications.Research In Motion's Blackberry Messenger service, for example, is so strongly encrypted that the governments of India and the United Arab Emirates have demanded the company provide the keys to decoding the messages. (RIM has partially complied.)

Even so, the FBI says there are still obstacles.
"Many communications providers are not required to build or maintain intercept capabilities in their ever-changing networks," Mueller told theHouse and Senate Judiciary Committees in May. "As a result, they are too often not equipped to respond to information sought pursuant to a lawful court order. … We must ensure that the laws by which we operate keep pace with new threats and new technology."
Basically, that means the phone companies and device makers aren't forced to build in eavesdropping ability for law enforcement.
If the FBI gets in, can hackers too?
Right now the law applies to telecom providers — phone companies — but the FBI is seeking to expand the definition. (It's important to note that nobody is looking to change the law that a search warrant be required towiretap anyone.)

That may speed up gathering evidence. But it can also leave the good guys vulnerable, said Chris Calabrese, legislative counsel at the American Civil Liberties Union in Washington, D.C.
"In Greece, the prime minister's phone calls were being tapped," Calabrese said, referring to a 2005 incident in which high-level Greek government officials found their phones had been hacked.
While it was likely that a rival intelligence agency had done it, the access to the systems was given by the same sort of "backdoor" as the FBI is seeking.
Calabrese added that it's debatable as to whether law enforcement really needs additional surveillance capabilities.
Other methods already exist — for example, encrypted communications can be tapped if an FBI agent or police officer gets access to a suspect's computer, and a keylogger would reveal all of the suspect's passwords quickly.
It's also possible to eavesdrop on communications at the "switch" level by asking a telecom provider for access.
"They can get a lot of this via AT&T," Calabrese said. "Is it really worth re-architecting the Internet?"
(Last month, nine U.S. cellular carriers revealed that they had received more than 1 million law-enforcement requests for customer data in 2011.)
Peter Eckersley, technology projects director at the Electronic Frontier Foundation, a digital-rights advocacy group in San Francisco, said the problem is that when you build any vulnerability into a system, security decreases significantly.

Stewart Baker, a former assistant secretary of policy at the Department of Homeland Security, disagreed with Calabrese and Eckersley.In other words, a built-in backdoor won't stay a secret for long, and a good hacker will learn to exploit it.

"I would not judge all lawful intercept features based on the Greek experience any more than I’d judge government management of the economy based on the Greek experience," Baker told SecurityNewsDaily in an email.
Traditional methods of surveillance are more "hit or miss," Baker said. "Keyloggers aren't as easy as you imagine."
As for the vulnerabilities introduced by backdoors, Baker said that careful monitoring can prevent them from being used by criminals or abused by law enforcement.
The power may already be there
Michael Gregg, president and chief operating officer of Superior Solutions, an IT security consulting firm in Houston, has done penetration testing and training for federal agencies, including law enforcement.

"The federal government presently has a wide array of tools that can be used to monitor voice communications, cellphones and electronic data on the Internet," Gregg said. "While built-in backdoors would make it much easier for the government to monitor communications in real time, the real question is: Would such technology be abused and used to limit free speech?"
Gregg's concerns become especially salient with the prospect of backdoors being built directly into websites. An oppressive government might use it to monitor visitors to the site.
Some new technologies actually make it easier for the FBI, or anyone else, to track where one goes online. Internet Protocol version 6, the upcoming universal Internet standard, makes it possible to link an Internet address to a machine's unique network hardware.
"Advertisers, criminals, they would all be able to see it," Eckersley said.
Some operating systems — Windows 7 and Apple's OS X and iOS among them — add  privacy features to IPv6 that generate random Internet addresses. But Eckersley noted that the implementation is not universal.
To him, that fact makes the FBI's claim that it needs new backdoors all the more surprising.

No comments:

Post a Comment