Facebook paid a cybersecurity firm six figures to develop a zero-day in a Tor-reliant operating system in order to unmask a man who spent years sextorting hundreds of young girls, threatening to shoot or blow up their schools if they didn’t comply, Motherboard’s Vice has learned.
We already knew from court documents that the FBI tricked the man into opening a booby-trapped video – purportedly of child sexual abuse, though it held no such thing – that exposed his IP address. What we didn’t know until now is that the exploit was custom-crafted at Facebook’s behest and at its expense.
Facebook had skin in this game. The predator, a Californian by the name of Buster Hernandez, used the platform and its messaging apps as his hunting grounds for years before he was caught.
Hernandez was such a persistent threat, and he was so good at hiding his real identity, that Facebook took the “unprecedented” step of working with a third-party firm to develop an exploit, Vice reports. According to the publication’s sources within Facebook, it was “the first and only time” that Facebook has helped law enforcement hack a target.
It’s an ethically thorny discovery. On one hand, we’ve got the deeply troubling implications of Facebook paying for a company to drill a hole into a privacy-protecting technology so as to strip away the anonymity of a user – this, coming from a platform that’s promised to slather end-to-end encryption across all of its messaging apps.
On the other hand, it’s easy to cheer for the results, given the nature of the target.
Arrested in 2017 at the age of 26, Hernandez went by the name Brian Kil (among 14 other aliases) online. Between 2012 and 2017, he terrorized children, threatening to murder, rape, kidnap, or otherwise brutalize them if they didn’t send nude images, encouraging some of them to kill themselves and threatening mass shootings at their schools or a mall bombing. In February 2020, he pleaded guilty to 41 counts of terrorizing girls aged 12 to 15.
Although Facebook reportedly hired an unnamed third-party to come up with a zero day that would lead to the discovery of Hernandez’s IP address and eventual arrest, it didn’t actually hand that exploit over to the FBI. It’s not even clear that the FBI knew that Facebook was behind the development of the zero day.
The FBI has, of course, done the same thing itself. One case was the Playpen takedown, when the bureau infamously took over a worldwide child exploitation enterprise and ran it for 13 days, planting a so-called network investigative technique (NIT) – what’s also known as police malware – onto the computers of those who visited.
In the hunt for Hernandez, a zero-day exploit was developed to target a privacy-focused operating system called Tails. Also known as the Amnesic Incognito Live System, Tails routes all incoming and outgoing connections through the Tor anonymity network, masking users’ real IP addresses and, hence, their identities and locations. The Tails zero-day was used to strip away the anonymizing layers of Tor to get at Hernandez’s real IP address, which ultimately led to his arrest.
Facebook: We had no choice
A Facebook spokesperson told Motherboard that the publication got it right: the platform had indeed worked with security experts to help the FBI hack Hernandez. The spokesperson provided this statement:
The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls. This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.
A former Facebook employee with knowledge of the case said that this was an extremely targeted hit that didn’t affect other users’ privacy:
In this case, there was absolutely no risk to users other than this one person for which there was much more than probable cause. We never would have made a change that affected anybody else, like an encryption backdoor.
Since there were no other privacy risks, and the human impact was so large, I don’t feel like we had another choice.
The human impact was not only large: it was vicious and unrelenting. Hernandez lied to victims about having explicit images of them and demanded more, lest he send photos to their friends and family. He did, in fact, publish some victims’ intimate imagery. For one victim – identified as Victim 1 in the criminal complaint – he doctored videos she’d taken of herself dancing. She thought she’d deleted them, Hernandez said in one of his many braggart’s posts. He got the videos anyway, he said, having hacked her cloud account to get the imagery, which he edited to appear explicit.
He lied about having weapons, he lied about plans to shoot up a high school, he lied about a bomb at a mall. His rape threats were long and graphic, describing how he’d slit girls’ throats or kill their families. Sometimes, he encouraged his victims to kill themselves. If they did, he’d post their nude photos on memorial pages, he said.
In December 2015, multiple high schools and shops in the towns of Plainville and Danville, Indiana, were shut down due to Kil’s terrorist threats. The following month, the community, along with police, held a forum to discuss the threats.
After the forum, Kil posted notes about who attended, what they wore, and what was said, as reported to him by a victim whom he’d coerced into attending and reporting back to him.
(IMAGE: Criminal complaint)
What he wrote in 2015, after telling victims he “wants to be the worst cyberterrorist who ever lived”:
I want to leave a trail of death and fire [at your high school]. I will simply WALK RIGHT IN UNDETECTED TOMORROW … I will slaughter your entire class and save you for last. I will lean over you as you scream and cry and beg for mercy before I slit your f**king throat from ear to ear.
Not all Facebook employees agreed
Several employees, both current and former, told Vice that the decision to hack Brian Kil was more controversial than the company’s statement would indicate. You can see why they’d have qualms: the same operating system that hid Hernandez for years as he contacted and harassed hundreds of victims is also widely used by those whose work – or whose very lives – depend on the privacy and anonymity of Tor, including journalists, dissidents, activists and survivors of domestic abuse.
A spokesperson for Tails told Vice that the operating system is used daily by more than 30,000 such people, all of whom seek the shelter of Tor to avoid persecution, surveillance and/or the chance of falling back into the hands of their abusers. The flaw that was exploited in order to catch Hernandez – found in Tails’ video player to reveal the real IP address of the person viewing a video – was never disclosed to Tails. If the flaw hadn’t been done away with in a patch, it could have been used against innocent people.
Besides protecting monsters like Hernandez, anonymizing technologies such as Tails, Tor and encryption protect the privacy of others who deserve products that don’t have holes drilled into them. That’s why we and other encryption supporters have always pledged our support for #NoBackdoors.
But what does a company like Facebook do when it feels it has no other choice but to penetrate Tor in order to stop a menace to society?
Coming to the aid of the FBI
Both the FBI and Facebook were trying to get Hernandez. He was considered public enemy No. 1 at Facebook, which took extraordinary measures to track what employees considered to be the worst criminal to ever use the platform.
The company dedicated one employee to tracking Hernandez for two years. Hernandez’s reign of terror also inspired the platform to develop a new machine learning system: one that could detect users who create new accounts that they use to reach out to kids in order to exploit them. According to former employees, that system detected Hernandez and tied him to a number of pseudonymous accounts and their victims.
The FBI tried to hack Hernandez. But it didn’t go after him by exploiting Tails, and its attempts failed. Hernandez detected the attempt and ridiculed the bureau over it. It was at that point that Facebook decided to help.
Facebook engineers and security researchers felt they had no choice. Others aren’t so sure. Vice referred to a statement from Senator Ron Wyden that questioned the lack of transparency in how law enforcement handles vulnerabilities. From that statement:
Did the FBI re-use [the zero day] in other cases? Did it share the vulnerability with other agencies? Did it submit the zero-day for review by the inter-agency Vulnerabilities Equity Process? It’s clear there needs to be much more sunlight on how the government uses hacking tools, and whether the rules in place provide adequate guardrails.
Some Facebook employees agree: if this is a precedent, it’s not a good one. Vice quoted one such:
The precedent of a private company buying a zero-day to go after a criminal. That entire concept is f**ked up.
It is f**ked up. Ethically, it’s about as problematic as you can get. But, understandably, what Facebook pulled off is also a great source of pride to the engineers who worked on getting this guy, such as this former employee:
I think they totally did the right thing here. They put a lot of effort into child safety. It’s hard to think of another company spending the amount of time and resources to try to limit damage caused by one evil guy.
Slow Joe Crow
This is actually very disturbing since “the ends justify means” was used an excuse to destroy the security and trust of the Tails OS. If Facebook is willing to compromise its principles and another organization’s security “just this once for a really bad guy” then they are on the slope of using this as justification again. Their failure to immediately disclose the zero day after catching Hernandez is even more disturbing since it indicates that Facebook is lying about only using it once.
Samuel Ibrahim
Absolutely true and scary but situations like this only come to depict whether we are humans or machines. Legally Precedence has been set but morally lives and future genrations have been preserved and kids can now sleep well at night knowing this predator has been put where he belongs.
Bacchanalia
it would have been even more disturbing if FB had assisted the pervert by doing nothing. Granted, it does ask a HUGE ask! Asking us to trust FB – not something that comes easily to many of us. But can you REALLY contemplate allowing this odious moron to continue his crimes for decades?
Word about his exploits and how he did them would undoubtedly spread, with many copycat perverts following in his footsteps. Hopefully this will send a signal that EVEN FB has limits (but hard to discern, at times)
Wilderness
It’s not illegal to find a zero day bug, nor to pay someone to do it for you. Yes, sending a file that tracked him was technically illegal, but they had more than probable cause. It won’t keep me awake at night.
Lisa Vaas
Their failure to disclose the zero day is actually quite nuanced. I recommend reading the original Vice article for the details about Facebook’s thinking. The platform knew that the flaw was going to be ironed out in an upcoming patch. Not that *Tails* knew about the flaw—it just happens that the buggy code got updated-out by chance. Facebook knew that the flaw had a limited shelf life, in other words, and thus that the exploit wouldn’t be viable for long.
CliveV
Congratulations Facebook.
You did the right thing, for a change.
Yes you will have those who castigate you, as they revel in their pc correctness and smug self satisfied grins as they via with their compatriots in an attempt to give them the attention they so desperately seek.
To even contemplate allowing scum like Hernandez to continue with his despicable actions against these young girls, is unacceptable in the extreme.
And no, their self vindication of their supposed care for all mankind is treated with the contempt of deserves.
There are times and situations where extreme measures are called for and this was one of them.
Tony Gore
The balance of one person’s rights (to commit crimes) against the greater good. If that was it, it is easier to see which side to come down on. But the question is never that simple. If authorities could really be trusted, then you could argue the case for backdoors. But they can’t because even on the good side there are some bad guys. You only have to look at the UK COVID-19 tracking app and supporting legislation – a centralised database and the data retained for 20 years (or something like that – I was shocked at the retention time). For track and trace, you maybe need the data retained for a few weeks, not 20 years.
Gavin
I’m unclear as to why this was a Facebook/Hacker operation and not an FBI/Hacker operation. The FBI might have failed to hack Hernandez in an earlier attempt, but I don’t understand what Facebook and this company that developed the Tails exploit were doing that an FBI-led operation with legal and appropriate input from Facebook and the hacker group could not.
Is it that the FBI is not allowed to work with hackers to develop zero-days? They worked with companies to break into cell phones in the past, so that can’t be it.
If Facebook had shared their tracking and investigative efforts with the FBI, and the FBI (not Facebook) had engaged with the hackers to create the zero-day, and the FBI had at all times led the investigation, I think it would have been fine (not that I’m a lawyer). It’s hard for me to understand why catching this guy required Facebook to work with the hackers on a zero-day exploit. A slippery slope indeed.
All that said, thank goodness he’s off the Internet and off the streets. Huge respect and gratitude to everyone who was involved in the case and trying to do the right thing.
Zero
@Gavin, FBI has to operate within the boundaries of the law and there are lots of things they are just not allowed to do (because of due process, burden of proof, etc, etc..). You won’t believe how much time and effort is put into “dotting the i’s and crossing the t’s” before they can actually arrest someone.
Facebook, as a private entity, has much less restrictions and much less oversight. They can do whatever they please and deal with a (potential) PR disasters later.
So, I would guess that in this situation FBI tried and failed to locate Hernandez and couldn’t get judges’ approval for another go. Facebook stepped in and did what US legal system couldn’t.
I’m not saying this situation is right or good, or anything, just stating the facts.
Spryte
Well good for fb… I think.
But now fb &the FBI will have a new public enemy No. 1 taking this guy’s place. What is going to be then. A “Catch 22” indeed.
In the end, someone must protect the children.
epic_null
Honestly? Facebook needs a MUCH stronger set of ethical guidelines if they want to do this style of thing. I don’t think a professional hacker would have a white hat after this stunt, and Facebook needs to show they have the tools to keep them in the light grey.
This I do not know if they have.
ecobrain
Hopefully that crook got what he deserved at the end: a sentence compelling him to serve a decent number of decades in jail.
Romeo
It’s sad that things like Tor and Tails are still legal. Hopefully we can get legislation to imprision users of these things. All they do is allow bad people to do bad things.
Brian
Tor is made by the US Navy and Tails is just a Linux distro that routes traffic through the Tor network. It is used for privacy, read online about what youre commenting about. You are going to imprison millions of people for wanting privacy, now thats more than f****d up.
Tor was made for everyone so that CIA or FBI dont stand out on a website (via IP and other things) and its free and fully open source (anyone can modify the code)
Yes i agree that this guy should be in prison or life sentence for what he has done, but making Tor and Tails illegal is not the way to go.