You are here

You are here

FBI warrant and patch for Exchange hack raises serious questions

N4nk3r ph3193 Security researcher

The recent hack that affected Microsoft’s Exchange Server led to an interesting legal maneuver by the US government: To deal with the results of the attack, the FBI obtained a search warrant that let it remotely modify affected software by implementing a patch without the consent of the users of the software.

Does the FBI have the right to do this?


Rule 41 of the Federal Rules of Criminal Procedure (FRCP) provides this authority:

[b.6] a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if […]

[b.6.B] in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.

18 USC 1030 tells us that the FBI can do this if the hack:

[a.5.C] intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

So the FBI probably had the authority to get the necessary warrants, and with them could seize or copy any information on the affected servers. But this raises obvious questions about the limits of this authority. It’s not clear to me that FRCP 41 gives a judge the authority to modify any information on the affected servers.

High-maintenance moves

This analogy isn’t perfect, but changing software with a search warrant seems a bit like using a warrant to search a 2015 Toyota and somehow turning it into an unmarked 1987 Yugo. Maybe the other way around, if you’re lucky, but things never seem to work out that way.

In that hypothetical exercise, the authorities didn’t just search the car for evidence that might be used to investigate illegal activities. Instead, they also changed the car into a different one.

I’m not a lawyer, but it’s not clear to me that that’s within what’s allowed for a search warrant. And if that unmarked 1987 Yugo costs more to maintain, the owner has a good reason to not be happy. In that case, who would be responsible for the higher maintenance costs?

Getting testy about testing

So you might wonder about the possible legal implications if the FBI’s patches cause unexpected problems. Testing software is hard and getting harder by the day. I’ve heard more than a few stories about how even trivial changes ended up causing lots of downtime because of unexpected interactions with other software. Even the smallest change to software can require tens of thousands of tests to make sure that the change doesn’t cause a problem somewhere else.

Doing adequate testing of software is hard and expensive. It’s almost impossible to do perfectly. In commercial software development, the effort spent on testing software is roughly comparable to that spent on developing it; these days, for each development engineer, you can expect to have another engineer doing testing. It wasn’t always that way. Back in the dot-com era, software was much simpler, which made testing it much easier.

Back then, there were legendary (and possibly apocryphal) programs that were built from 1 million lines of code. Today, it’s easy to find open-source projects about that big. The very first one that I checked, the Expat XML Parser, has almost that many—over 890,000. And that’s not something as complex as an operating system; it just parses XML. But it takes the better part of 1 million lines of code to do that. Imagine the complexity required to do more substantial things.

Our work is never done

If you’re a developer, you know that software is never completed. Instead, it’s just deemed good enough for the upcoming release. I’ve never done software testing, but testers tell me that it’s about the same: You never have enough time to test everything, so you make a commercially reasonable effort to test the most important features of your product.

But with the patch to this hack of Exchange Server, how much testing did the FBI do? Would it even count as “commercially reasonable” if a software vendor did it? Perhaps not. It looks as if it was deployed too quickly for that to have taken place. And it probably wasn’t tested in the environments that the users of Exchange Server were running in, making unexpected interactions more likely. Do you really want someone installing relatively untested patches to your software? It looks as if that might be what the FBI did in this particular situation.

Unwarranted patching?

To obtain a search warrant, you need probable cause that a crime has taken place. The warrant application for this particular situation says that the FBI identified certain Exchange Servers that were compromised. Its justification of probable cause is the fact that “these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own.”

The FBI noted that by “deleting the web shells, FBI personnel will prevent malicious cyber actors from using the web shells to access the servers and install additional malware on them.” But is that a good reason to justify a search warrant? My understanding of search warrants is that they are used to gather evidence that can be used to prosecute criminals, not to patch software, even if there is a very good reason for that patch to be installed.

What about unintended consequences?

So even though the government’s intentions seem to have been good, in this particular case, it’s not clear to me that what it did was a proper use of a search warrant. Requiring search warrants is an important protection of our privacy, and we should be concerned when the government extends its ability to do searches in ways that seem to be an innovative interpretation of the law. This seems a good example of a case that we should worry about.

We will have to accept that extending our existing framework for limiting the government’s ability to do searches will need some modification when it’s extended to cyberspace, but I’m not sure that what the FBI did in this particular case is the right way to do it. Even a perfectly valid goal shouldn’t justify any means of attaining it.

No Security is a monthly column.

Keep learning

Read more articles about: SecurityData Security