Facebook offered a 0day flaw in Tails

Facebook s Cybersecurity

Facebook, which offers a security hole in a secure operating system, the story told by Motherboard has something to raise its eyebrows. In an article published yesterday, the American magazine explains however how Facebook actually paid a cybersecurity company in order to develop an exploit using a 0day security flaw within the Tails operating system in 2017 in order to help the FBI to identify a criminal acting on his platform.

The suspect in this case, Buster Hernandez, was arrested in 2017. He had been active on Facebook for several years: he mainly attacked minor users of the social network, whom he blackmailed into pretending that he had obtained intimate photos stolen and multiplied the threats of attacks on their families and those around them to extort new photos and videos intimately. Buster Hernandez multiplied the victims, but still managed to escape Facebook moderators and the police: he used several tools to guarantee his anonymity, including the Linux Tails distribution. This Linux distribution, well known to activists, presents itself as an “amnesic” distribution, which leaves no trace on the computer where it is used, and capable of redirecting all of the user’s internet traffic through the Tor network in order to conceal his identity.

For Facebook moderators, the use of these tools made it impossible to track Buster Hernandez: impossible to locate his real IP and possibly transmit it to the authorities so that he could be arrested. It was also impossible to prevent him from recreating new accounts and acting on the platform, multiplying the victims under new identities. For Facebook, Hernandez was nevertheless a problem: Motherboard indicated that an employee had the specific task of keeping an eye on his activities and a machine learning algorithm aimed at identifying his behavior was developed in-house.

A hand in the hundreds of thousands of dollars

In 2017, the FBI nonetheless managed to anonymize Hernandez by sending him a video booby-trapped with software, which allowed them to identify his real IP address when the video opened. But the FBI at the time remained fairly talkative about the technique used and how it was developed. According to Motherboard, it is because the FBI owes its catch to the effort of Facebook: to help the American authorities to apprehend the suspect, the social network chose to pay a large sum (six figures according to the American magazine ) to get a 0day security vulnerability in Tails. This is a security vulnerability unknown to the publisher, and therefore does not have a patch. In this case, it was a security breach affecting the Tails video player. Facebook obtained the flaw in question from a reseller whose name has not been released and forwarded it to the FBI agents of the investigation, who then used it to identify Hernandez and the ” arrest with a proper arrest warrant.

According to Motherboard, which cites sources internal to Facebook, this choice was made as a last resort to help the investigation. Internally, opinions regarding Facebook’s approach are debated: some believe Facebook’s intervention was perfectly justified and helped end the crimes of an individual suspected of repeat pedophile crimes. Others are less comfortable with the precedent of the case: by offering this type of assistance to the American authorities, this type of case could happen again in the future with possible abuses.

Tails administrators told Motherboard they have never heard of the issue or the matter. Internal sources cited by the magazine indicate that a fix for the bug in question was long overdue, which limited the impact of the flaw in time.

Facebook did nothing illegal in this case: by helping investigators and agreeing to pay a substantial sum to procure the flaw in question, the social network played an essential role in the arrest of a criminal. The situation nevertheless questions. If Facebook says it was an “exceptional” situation and does not happen again, the FBI may not hear it and police in many other countries may invoke this precedent to support their requests for assistance. This was the risk mentioned by Apple in 2016 in the case against the FBI around the San Bernardino massacre. Apple at the time refused to help the FBI decrypt the killer’s iPhone.

Source: www.zdnet.fr

Rate article
Add comment