A software vulnerability is a weakness or “bug” in a computer program that can be exploited. Any such bug that is unknown to a software developer (and therefore remains unpatched) is known as a zero-day vulnerability. These are used by hackers to access secure data, spy using internet connected webcams, steal passwords from smart phones, and similar criminal activity.
They are used by enforcement agencies in order to catch criminals. A large underground market exists that trades in zero-day vulnerabilities, and it is more than a little ironic that the willingness of law informant agencies to pay for such exploits helps to fuel this thriving underground economy that criminal hackers also rely on.
Of course, when an agency such as the FBI obtains such a zero-day vulnerability (which its own hackers also work to develop) that it finds useful, there is a big temptation to hold on to it, and to keep it secret. Software companies, on the other hand, are alarmed at the prospect of known vulnerabilities, which could be exploited by criminals, being kept from them.
Without the ability to patch weaknesses they know nothing about, this puts their customers at grave risk.
In 2015, in what is probably the largest ever operation of its kind, the FBI successfully hacked thousands of computers worldwide in order to take over the one of largest child pornography sites on the dark web, and to discover the identities of its users.
Playpen was a Tor Hidden Services website, and therefore could only be accessed through the Tor network. It is unclear how the FBI comprised the Tor network, but many suspect it exploited a zero-day vulnerability in the Tor Browser.
Mozilla Demands Advanced Disclosure
The existence of a possible zero-day vulnerability puts the security of the many thousands of Tor users who rely on the anonymity network for perfectly legitimate reasons at risk. The situation, however, could be much worse.
The Tor Browser is a “hardened” version of Mozilla’s open source Firefox browser the second most popular desktop browser in the world. If the vulnerability the FBI used to take down Playpen is also present in the regular Firefox bowser, the security of tens of millions of users (Firefox was downloaded 60 million times in 2014) could be in jeopardy!
The FBI, however, is unwilling to share the Network Investigative Technique (NIT – (i.e. hack) it used to compromise Playpen. Mozilla has now filed a brief in an ongoing associated criminal case, asking that the court disclose any vulnerability to it at least 2 weeks before it is disclosed as evidence to the defense.
“The relevant issue in this case relates to a vulnerability allegedly exploited by the government in the Tor Browser. The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base. The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed.”
The issue of law enforcement agencies not disclosing vulnerabilities that could adversely affect customers has become something of a sore tooth among technology companies, and this case is likely to inflame an already tense situation.
In 2010 the government set up the Vulnerabilities Equities Process (VEP) to arbitrate precisely this kind of issue, but thanks to the intense secrecy that surrounds the entire process, few trust its claim that it has disclosed 91 percent of the vulnerabilities it discovers. As Denelle Dixon-Thayer from Mozilla notes,
“Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community. In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly.
Governments and technology companies both have a role to play in ensuring people’s security online. Disclosing vulnerabilities to technology companies first, allows us to do our job to prevent users from being harmed and to make the Web more secure.”