Go to Top

The Hacking Monster

James Comey and Sally Yates seated in front of two American flags and one flag with the Justice Department seal
FBI Director James Comey in June. Photo courtesy the Federal Bureau of Investigation.

In Jewish folklore a golem is a humanoid figure made of clay and brought to life through magical means, usually for benign purposes but not always with benign results.

Centuries ago, the High Rabbi of Prague is said to have created a golem named Joseph to protect the city’s Jewish Quarter from attack, as well as to perform all sorts of manual labor. The catch was that the rabbi was required to deactivate Joseph every Friday evening before the start of the Jewish Sabbath. When the rabbi inevitably forgot to do so one Friday, Joseph predictably ran amok. (According to another legend, Joseph still slumbers in a deactivated state in the attic of a Prague synagogue.)

If you think this sounds a lot like Mary Shelley’s tale of Dr. Frankenstein and his creation, I agree. These types of stories always seem to have the same ending, because monsters inevitably behave like, well, monsters.

Did FBI Director James Comey read any of these stories when he was growing up? I wondered about this a few months ago, when Comey and his agency abandoned their fight to force Apple to hack the iPhone used by one of the San Bernardino shooters. Comey proudly announced at the time that the bureau had paid hackers an undisclosed sum (though he hinted it was north of $1.25 million) to do the job instead. As I and many others predicted, it turned out that the phone held no information of value to the investigation, which is presumably why the assailants did not bother to destroy it along with their other mobile devices. Regardless, Comey pronounced that the hacking exploit was still worth every taxpayer penny.

He never identified the hackers that the FBI hired. NBC reported that an Israeli firm, Cellebrite, was the outside party in question, though its involvement remains disputed. The Israeli newspaper “Yedioth Ahronoth” seems to be the original source indicating Cellebrite’s involvement. No need to worry, though; the Israelis are good guys who are usually on our side. Right?

Maybe you think so. Ahmed Mansoor, a human rights activist based in the United Arab Emirates, probably doesn’t.

A few weeks ago, security researchers at Citizen Lab and Lookout Security reported on an attempt to remotely jailbreak Mansoor’s iPhone 6. Mansoor received a suspicious text message with a link about human rights abuses in UAE jails. Instead of clicking the unknown link, Mansoor contacted Citizen Lab, whose staff identified the link as a cyberattack by the Israel-based company NSO Group. Had Mansoor fallen victim of the attack, NSO’s Pegasus software would have silently taken advantage of security flaws in the phone’s operating system to turn the phone into a surveillance device. According to the report, Pegasus is available only to government agencies. An NSO spokesman, speaking to The Wall Street Journal, denied any knowledge of the attempt to hack Mansoor’s phone.

Apple announced on Sept. 1 that it had fixed the flaws reported by Citizen Lab, pushing the security updates to all vulnerable devices. This was, incidentally, not an option for the vulnerability exploited by Cellebrite or whichever other outside party the FBI paid to get into the San Bernardino shooter’s iPhone. The FBI refused to tell Apple about the vulnerability, or even to submit it to the equities review process designed to weigh national security priorities against the danger posed to American users’ private data by a given security flaw. The FBI claimed it did not know enough about the vulnerability the outside party used to let the equities review board evaluate it.

Now the FBI is extremely troubled by the possibility that Russian hackers are trying to somehow manipulate the results of the November presidential election. At least U.S. intelligence agencies have said they believe the hackers to be Russian, though Russia denies any tie to them. Whoever they are, the hackers have already repeatedly targeted Democratic campaign organizations. An ensuing document dump on WikiLeaks embarrassed former Democratic National Committee Chair Debbie Wasserman Schultz into resigning on the eve of the party’s nominating convention. It is entirely possible, if not likely, that more disclosures are on the way in the weeks leading up to the election. The U.S. intelligence community is said to be deeply concerned. It is a safe bet that so are Democratic nominee Hillary Clinton and many of those around her.

Is there a connection between the FBI’s hiring highly skilled hackers for its own purposes and hunting similarly skilled hackers whose interests are deemed to be at odds with those of the United States? You might not see one. If hackers (who by definition ply their trade breaking and entering digital domains that belong to others) are golems, maybe there are simply good ones and bad ones. But history and literature teach a different lesson. The hacker who sells her services to you today may well be in the employ of your adversary next week, or the tools she creates for your benefit may end up misappropriated by that same adversary.

In other words, most monsters eventually end up behaving like monsters – even when they are on the FBI payroll.

, , , , , , , ,