FBI’s Cyclops Blink Action Raises Questions
The FBI’s recent takedown of Cyclops Blink command-and-control infrastructure raises questions about the US government’s reach regarding search and seizure. The government obtained a warrant allowing them to gain remote access to privately owned devices without notifying the owners and take steps to dismantle the botnet’s command and control operations. The FBI also used an amendment to Rule 41 of the Federal Rules of Criminal Procedure to access computers outside the jurisdiction of the court granting the warrant.
I find physical analogues instructive. We expect fire and police departments to gain entry to our homes and businesses when there's an emergency, and whether or not we're present. Infected machines can constitute an emergency, especially when they're being used to attack other victims. However, police and firefighters will go to greater lengths to notify property owners. It might be ideal, instead, to take over attacker-owned C2 servers and issue kill orders to infected systems, but opportunities like that can't be common.
The FBI did a great service to the reckless owners of unpatched devices. Did they even access the infected devices, or did they just access the C&C server? Of course the Internet usually plays a bit by Florida traffic rules where we do not like things like safety inspections.
We need to be wary of law enforcement using powers such as these to tackle malware and botnets. While it may technically make sense to take this approach, we have to take into account people’s privacy rights and ensure there is appropriate transparency and governance in place to manage any such actions.
The amendment to Rule 41 of the Federal Rules of Criminal Procedure was the result of three years of debate and public input, adopted by the Supreme Court and approved by Congress in 2016 and was intended to handle a large-scale event. This is the broadest application of that rule not only for investigation but also for disruption of criminal activities. The risk is that multiple warrants were not obtained, just one, which was used in jurisdictions outside the one which issued it. One hopes this case helps strike a balance between taking remote action to remediate known infected systems versus reliance on system owners to take action. As we all get better at communicating with federal agencies such as the FBI, CISA, etc. one hopes that can be leveraged to allow local action versus remote unexpected intervention.