FBI Bungles Malware Attempt As Courts Begin To Question Its Legality

from the fbi-as-script-kiddies dept

Wed, Dec 11th 2013 10:51am — Mike Masnick

Back during the summer, we wrote about how the FBI was increasingly using malware to spy on people (though they apparently tried to avoid using it with technically savvy people to avoid having its capabilities "discovered"). However, the Washington Post has more details on how the FBI uses malware in trying to track down someone, based on court documents -- though it also notes that at least some courts have balked at such techniques, pointing out that they go way too far and probably violate the 4th Amendment.

The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations, said Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico, now on the advisory board of Subsentio, a firm that helps telecommunications carriers comply with federal wiretap statutes.

The FBI’s technology continues to advance as users move away from traditional computers and become more savvy about disguising their locations and identities. “Because of encryption and because targets are increasingly using mobile devices, law enforcement is realizing that more and more they’re going to have to be on the device — or in the cloud,” Thomas said, referring to remote storage services. “There’s the realization out there that they’re going to have to use these types of tools more and more.”

The ability to remotely activate video feeds was among the issues cited in a case in Houston, where federal magistrate Judge Stephen W. Smith rejected a search warrant request from the FBI in April. In that case, first reported by the Wall Street Journal, Smith ruled that the use of such technology in a bank fraud case was “extremely intrusive” and ran the risk of accidentally capturing information of people not under suspicion of any crime.

Smith also said that a magistrate’s court based in Texas lacked jurisdiction to approve a search of a computer whose location was unknown. He wrote that such surveillance software may violate the Fourth Amendment’s limits on unwarranted searches and seizures.

Yet another federal magistrate judge, in Austin, approved the FBI’s request to conduct a “one-time limited search” — not involving the computer’s camera — by sending surveillance software to the e-mail account of a federal fugitive in December 2012.

Still, the report details how the FBI can insert malware in a variety of ways, and that the malware can often do things like turn on your camera without the light turning on. Most reports of malware concerning turning on cameras in the past still had the light go on. It appears that this is all the more reason for people to tape over their cameras. That said, it could be even worse. If they can turn on your camera remotely, they can almost certainly turn on your microphone remotely also. And, of course, with a microphone there is no light in the first place and you can't just cover it up. Voila, instant wiretaps beyond just phone calls. Seems extreme, but does anyone doubt that the FBI can do this, and likely does do this?

Of course, the Washington Post report also shows that while the FBI may be able to create and install malware like this, it also seems to make an awful lot of mistakes:

Federal magistrate Judge Kathleen M. Tafoya approved the FBI’s search warrant request on Dec. 11, 2012, nearly five months after the first threatening call from Mo. The order gave the FBI two weeks to attempt to activate surveillance software sent to the texan.slayer@yahoo.com e-mail address. All investigators needed, it seemed, was for Mo to sign on to his account and, almost instantaneously, the software would start reporting information back to Quantico.

The logistical hurdles proved to be even more complex than the legal ones. The first search warrant request botched the Yahoo e-mail address for Mo, mixing up a single letter and prompting the submission of a corrected request. A software update to a program the surveillance software was planning to target, meanwhile, raised fears of a malfunction, forcing the FBI to refashion its malicious software before sending it to Mo’s computer.

The warrant authorizes an “Internet web link” that would download the surveillance software to Mo’s computer when he signed on to his Yahoo account. (Yahoo, when questioned by The Washington Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

The surveillance software was sent across the Internet on Dec. 14, 2012 — three days after the warrant was issued — but the FBI’s program didn’t function properly, according to a court document submitted in February,

“The program hidden in the link sent to texan.slayer@Ã‚Âyahoo.com never actually executed as designed,” a federal agent reported in a handwritten note to the court.

It looks like this is the typical case of once law enforcement has a tool it's looking to use it more and more, even as it clearly has not yet worked out the kinks -- and there's been no real chance for a comprehensive look at whether or not the use of such tools is legal, beyond what individual judges are deciding on a case by case basis.

Of course, just the fact that the FBI is able to turn on cameras and microphones without letting someone know has some pretty serious consequences. Jon Schwarz pointed out the basic similarities to 1984 about what happens when the government can magically spy on just about anyone without you knowing about it. Making people live in fear is not what "freedom" is about, now is it?

Raise your hands for those who expect that this technology won't be abused.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cameras, fbi, malware, microphones, surveillance

23 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

DannyB (profile), 11 Dec 2013 @ 10:58am

No need to watch the watchers
While this may seem unsettling at first, please take comfort in the fact that the government agencies would never abuse such capabilities. Especially for personal, petty or political purposes.
[ link to this | view in chronology ]
- Anonymous Coward, 11 Dec 2013 @ 11:03am
  
  Re: No need to watch the watchers
  government agencies
  
  Fucking blackhats.
  
  *spit*
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Dec 2013 @ 11:56am
  
  Re: No need to watch the watchers
  I just wonder what their private porn collections contains.
  [ link to this | view in chronology ]
Anonymous Coward, 11 Dec 2013 @ 11:21am

Spotted a typo. Should read:

"Yahoo, when questioned by The Washington Post, issued a statement saying it had no knowledge of how to run a respectable email service in any way."
[ link to this | view in chronology ]
- Anonymous Coward, 11 Dec 2013 @ 12:44pm
  
  Re:
  This. A thousand times this. Yahoo's email service is absolutely awful, an exercise in miserable incompetence. The only possible merit that it has is to give Hotmail motivation to improve, since Hotmail is even worse.
  [ link to this | view in chronology ]
Anonymous Coward, 11 Dec 2013 @ 11:30am

So how long is this going to be before users on the internet start cutting wires to the microphone and camera? Or go luddite and refuse to buy those sets of hardware that contain such features?

Every action has a reaction. While I'm doing nothing that would actually be of interest to these spying agencies, I'm pissed that I have to take steps to prevent it on hardware that is mine, bought and paid for.

At this point I am considering that maybe being on the internet in plain view may not be such a good idea. The darknet is becoming more and more attractive as the Snowden leaks continue.
[ link to this | view in chronology ]
- Anonymous Coward, 11 Dec 2013 @ 11:52am
  
  Re:
  The Darknet is not much safer, and makes it much harder to find things. Further, the resulting fragmentation of society in small groups serves the governments purposes, as it becomes much harder for people to communicate ideas and opinions widely, or organise on a large scale.
  Love or hate Twitter, Facebook etc, they have a tremendous social reach that can result in effective opposition to politicians. The Darknet is closer to the underground magazines of the 60s and 70s, preaching to the converted, but with very limited reach because they were easy to ridicule and write of as being part of a minority culture.
  [ link to this | view in chronology ]
  - Anonymous Coward, 11 Dec 2013 @ 12:39pm
    
    Re: Re:
    Facebook, at least, is making that (tremendous social reach) harder and harder to achieve as time goes by. her's just one example:
    
    http://allthingsd.com/20131210/facebook-wants-to-be-a-newspaper-facebook-users-have-their-own-ideas/
    [ link to this | view in chronology ]
PlagueSD (profile), 11 Dec 2013 @ 11:48am

For me, as far as cameras go, I keep my laptop and tablet off and "closed" so the camera is effectivly blocked. As for my phone, it stays in it's case which blocks the front camera and I set it flat on the desk...blocking the rear camera. For my computer, when I'm not using my microphone, I turn it off with a "hardware" switch. Since it's USB, it also unmounts the drivers. If the FBI figures out a way into my network and finds a way to override a physical button, then my computer would make that "ding" sound when you plug a USB device in and I'd be notified anyway.

Unfortunatly, there is nothing I can do about the microphone on my cellphone, so if I was going to do anything illegal, my phone would be staying at home anyway.
[ link to this | view in chronology ]
- Anonymous Coward, 11 Dec 2013 @ 11:57am
  
  Re:
  so if I was going to do anything illegal, my phone would be staying at home anyway
  
  And if you were to go to a political meeting, well, you would go to a Democratic meeting, or a Republican meeting, and there's really nothing wrong with taking your phone to one of those meetings. You would be absolutely paranoid to worry about taking your phone to a political party meeting. After all, it's not like either the Rs or the Ds are dirty communists. You wouldn't go to a dirty communist meeting with or without your phone now, anyways.
  [ link to this | view in chronology ]
Anonymous Coward, 11 Dec 2013 @ 11:48am

A bunch of computers (laptops especially) come with cameras and microphones built into them now, which makes this especially dangerous.
[ link to this | view in chronology ]
Anonymous Coward, 11 Dec 2013 @ 11:49am

Xbox One
Something for Xbox One owners to keep in mind. The console's built-in camera and microphone could give law enforcement remote access to every user's living room.
[ link to this | view in chronology ]
- anonymoose, 11 Dec 2013 @ 11:55am
  
  Re: Xbox One
  The camera and 13 or so microphones are 'live' any time the XBone has power, regardless of it's current 'on'/'off' state.
  
  Unplugging the Kinect completely is the safest course if you're concerned. But remember that many 'smart' TVs also have rudimentary cameras and mics..
  [ link to this | view in chronology ]
  - Anonymous, 14 Dec 2013 @ 3:25pm
    
    Re: Re: Xbox One
    What if you simply don't connect such devices to the internet?
    [ link to this | view in chronology ]
- Anonymous Coward, 11 Dec 2013 @ 12:42pm
  
  Re: Xbox One
  Televisions, too, are adding cameras for "gesture control" and microsoft, I believe, has applied for a patent that could be used for determining the number of people in your living in order to charge per person fees for movie watching.
  
  The capitalists are as bad or worse than, the feds.
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Dec 2013 @ 1:41pm
  
  Re: Xbox One
  Youtube: WiSee: Wi-Fi signals enable gesture recognition throughout entire home
  
  Your WiFi can do that.
  And MAV(Micro Aerial Vehicles)
  
  Youtube: Air Force Bugbot Nano Drone Technology
  [ link to this | view in chronology ]
- btrussell (profile), 11 Dec 2013 @ 10:14pm
  
  Re: Xbox One
  A $500 picture of one is starting to sound like a better idea than actually setting one up in my living room.
  [ link to this | view in chronology ]
Anonymous Coward, 11 Dec 2013 @ 12:10pm

Pfff, laptop spyware is so 1990's. These days FBI agents just activate the microphone on our cellphones, mafia style!

Every cellphone on the market is a proprietary, binary blobbed, back-doored spyware device... that we pay for! lol

Even the SIM cards are back-doored!
[ link to this | view in chronology ]
Anonymous Coward, 11 Dec 2013 @ 2:12pm

Unified Solution to this issue
A spot of tape. (British accent)

Manufacturers should place a LED directly in line to power the camera so that it would not be possible to turn it on without that light being on. The only drawback would be that the camera would no longer function if the LED burned out but all things considered it would be worth it.
[ link to this | view in chronology ]
HUMANITY GUARDIAN, 11 Dec 2013 @ 11:57pm

WE need more and more secure PCs than ever
WE need more and more secure PCs than ever
[ link to this | view in chronology ]
Anonymous Coward, 12 Dec 2013 @ 1:47pm

There is no legality in malware, period.
[ link to this | view in chronology ]
Kronomex, 12 Dec 2013 @ 1:49pm

I'm surprised that the feds haven't made it compulsory for cameras to be built into all new computers thereby avoiding the pesky amendments. The other thing to do is to find the camera and put some a bit of black tape over it.
[ link to this | view in chronology ]
- Anonymous, 14 Dec 2013 @ 3:27pm
  
  Re:
  Don't give them any ideas. They're already pushing for mandatory black boxes in vehicles.
  [ link to this | view in chronology ]