It looks like the Senate Judiciary Committee has become interested in the FBI use of zero-day exploits and phishing as an additional tool in the ostensible law enforcement arsenal, demanding Director Comey to provide answers to pointed questions by today (emphasis added):
Grassley also is seeking information about whether and how the FBI uses zero days. He asked Comey whether the bureau uses and zero days in the process of installing spyware tools on target machines, and if so, whether the FBI develops exploits in-house or buys them from vendors, such as VUPEN. He also asked, if the bureau does use zero days, whether the FBI ever notifies software vendors about the bugs it’s exploiting.
Intelligence agencies and military branches are known to use exploits for zero days in their work, some of which are developed internally and others that are purchased from outside vendors. In 2013, a contract surfaced that showed the NSA had subscribed to a zero-day exploit service run by VUPEN, a French company that develops and sells vulnerability and exploit information. And last month the U.S. Navy published a solicitation for zero days in a variety of popular software.
In addition to the information on exploit usage, Grassley also is asking Comey for more details on the FBI’s phishing operations. Last year, it was reported that the FBI at one point ran an operation that involved setting up a site to impersonate the Associated Press in order to get a target to click on a link that would install a remote monitoring tool. AP officials were indignant at the revelation, saying it undermined the organization’s credibility. In his letter, Grassley asks how many other times the FBI has used this tactic and whether the bureau ever informs the companies it is impersonating.
There is no doubt in my mind the FBI will be completely forthcoming in its use of zero-day exploits and phishing. I am sure they just cannot wait to tell the Senate Judiciary Committee all the intimate details about these operations.