The FBI's Firefox Exploit

Lawfare contributors are having an interesting debate (with dinners and drinks on the line) about whether and why the FBI might reveal the details of the exploit used to unlock the San Bernardino iPhone. My guess is that the FBI will inadvertently release so many details in aiding local law enforcement that the question becomes moot: we will at least learn whether the exploit uses the USB connection or attacks through the cellular "baseband," as well as whether the exploit works on current versions or has already been patched by Apple.

But another fight over vulnerability disclosure is far more interesting and getting far less attention. The FBI is apparently hoarding a Tor Browser exploit which it used to target visitors of the "Playpen" child porn site. I've previously discussed how the FBI wrote the warrant to hack over a thousand targets. Now the FBI is fighting defense efforts to examine the exploit itself despite an order requiring the FBI to reveal the exploit to the defense.

The Tor Browser is simply Firefox running in a hardened mode. While many Firefox exploits will not work against the Tor browser—particularly those relying on Flash—the converse is not necessarily true. To the contrary, any Tor browser exploit is almost certainly a Firefox exploit too.

Firefox is critical computing infrastructure. Many government computers give the user a choice between Firefox and Internet Explorer. A Firefox exploit in the wrong hands could easily result in millions of ransomware infections or could permit an adversary to penetrate many government networks through phishing URLs, watering-hole attacks, or packet-injection attacks.

Thus, the FBI's resistance to reveal details of this exploit is troubling. First, the Justice Department is arguably encroaching on 6th amendment protections which provide the right to confront one’s accuser in a forensic context. It is possible that FBI Special Agent Alfin is correct that, in this particular exploit, the exploit portion did not conduct any additional search. But the only way the defense can verify this is by examining the exploit code itself.

The exploit may the method by which the FBI breaks into the suspect's door but it theoretically can be used do far more—for example, it could include mechanisms to create a "backdoor" or other additional functionality. Generally, I am more comfortable with FBI NITs compared with other searches because there is an ability to verify that a search was conducted to specification. But given the FBI's history of bending the truth in technical declarations, the defense’s chosen expert should be entitled to verify the FBI's claims.

But their opposition to disclosing the exploit signals potentially more troubling underlying policies. Why is the FBI trying to maintain this exploit as a secret? There mere fact they are expending energy to do may indicate the exploit is a zero day; if it were already publically known there would be limited strategic value in keeping it secret. If this is not a zero day at all, the FBI is pointlessly fighting to limit disclosure to the defense via ex parte filings. But if this is, in fact, a zero day then even more worrisome policies may be at play.

Did this exploit go through the Vulnerabilities Equities Process (VEP)—or some similar executive process—before the government elected to fight disclosure? Or are these policies designed to favor offense over defense to the extent they are effectively meaningless as safeguards?

If the exploit remains unpatched, it is difficult to conceive of a reasonable and balanced process that would not result in disclosure and patching. It would be reasonable to assume Chinese or Russian hackers might discover the same weakness, and the consequences of that kind of hostile discovery could be incredibly significant, if not outright catastrophic.

It is possible that, even after a year, this vulnerability never went through the VEP or any disclosure-balance process at all. If that is the case, what is the point of having any kind of process if it does not apply to an exploit affecting tens or hundreds of millions of computers worldwide, including a substantial fraction of US government computers?

And if it did undergo policy scrutiny, then the outcome undermines the credibility of the process. If even this kind of vulnerability does not merit disclosure, then critics may be well-founded in their fears that the government hoards serious exploits to the detriment of all cyber-defense, including the US government's own cyber-defense.

From what I can tell there are only three plausible scenarios. One, the FBI is maintaining a secret that isn’t a zero day and pointlessly putting pressure on a defendant’s constitutional rights. Two, this exploit never underwent any kind of vulnerability equity process at all. Or three, the equity process favored offense over defense. I find none of those options comforting.