Srsly Risky Biz: FBI Says Why Get a Warrant When You Have Kash

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Authentik.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

In a Senate hearing last week FBI director Kash Patel said the Bureau is buying data that can be used to track Americans. The risk that the federal government could abuse purchased data was previously theoretical, but now feels more immediate. Lawmakers should act to protect Americans' civil liberties.  

When specifically asked about buying location data, Patel said the Bureau purchases information, "that's consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us". 

We have seen US local law enforcement agencies using this kind of data to track people, but this is new for the FBI. In 2023, the Bureau's Director at the time, Christopher Wray, said it had once used commercial location data in a national security pilot program but had no further plans to use it. 

We've written about this kind of data before, and how useful it can be for tracking, identifying  and even harassing people, so if the FBI didn't get valuable intelligence from it, we'd question the agency's competence. 

Commercially available information is at least as valuable as cellphone location data. It can be derived from many different sources and can be used to build a person's pattern of life. The government needs a warrant to get cellphone location data from telcos, but buying data to surveil people is fine. No need to bother a magistrate.

During last week's hearing, Senate Intelligence Committee Chair Tom Cotton (R-Ark), defended the FBI's use of commercially available location data, saying, "if any other person can buy it, and the FBI can buy it, and it helps them locate a depraved child molester or savage cartel leader, I would certainly hope the FBI is doing anything it can to keep Americans safe". 

However, the government already recognises that this data comes with risks. In 2024 former President Joe Biden took steps to mitigate national security risks and issued an Executive order to limit the sale of bulk sensitive personal data to America's adversaries. At the time a White House official said "bad actors can use this data to track Americans including military service members, pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services. This data can enable intrusive surveillance, scams, blackmail, and other violations of privacy". 

Government agencies do sometimes need intrusive powers, but these shouldn't be granted unconditionally. It's a balancing act. The more intrusive the power, the more it should come with checks and balances such as, say, strong oversight and requiring warrants.

When it comes to foreign intelligence agencies and commercially available location data, good policy coupled with robust oversight would strike the right balance. Documented policies would allow lawmakers to see why the data is being used, and how American's rights are being protected. An oversight body would then reassure Congress that the policy was being properly implemented.

The FBI's focus, however, is domestic and it also has coercive powers that it can use on Americans. So when it comes to taking advantage of purchased data a different balance needs to be struck. Since this information can be as intrusive as cellphone data it should have the same warrant requirements. 

It's entirely possible that the FBI is using this data in a reasonable and proportionate way and is not infringing on Americans' civil liberties. But how would Congress know? Director Patel did not expand on how the Bureau was using the data or on how it was protecting the rights of Americans. And the Trump administration does not appear all that invested in strong independent oversight. 

There is already a bipartisan bill, the Government Surveillance Reform Act, that aims to address this. Among other things, it would require the federal government to get a warrant to buy sensitive data about Americans. This is particularly important for the agencies that have coercive domestic powers: With great power comes great paperwork.  

MARA: Make American Routers… Again?

This week, the US Federal Communications Commission (FCC) effectively banned the import of new consumer router models produced outside the US. At first glance this looks like a security initiative, but at its core is more an attempt to reshore consumer router manufacturing. 

Routers already approved by the FCC can continue to be sold, but new models must receive a Conditional Approval exemption from the Departments of War or Homeland Security before the FCC will authorise them for use in the US. 

In its fact sheet, the FCC cited an interagency determination that foreign-made consumer routers "pose unacceptable risks to the national security of the United States or the safety and security of United States persons". 

The determination notes that: Chinese state-sponsored telco hacking group Salt Typhoon compromises routers; CISA has referred to edge devices, like routers, as the "attack-vector of choice"; and botnets are often created from compromised foreign-produced routers. 

It's not wrong in the sense that cheap, poorly-secured routers are a point of vulnerability. But from a security perspective, focusing on where the device is made is more than a bit weird. 

The underlying problem here is that consumers and ISPs want cheap, fast and reliable routers, over necessarily secure ones. Without changing the incentives for manufacturers, it doesn't really matter where they are made. You'll still get vulnerable products. 

Unfortunately, it doesn't seem likely that the process spelt out by the FCC will result in more secure routers, just ones that are built in the good ol' US of A. 

To apply for a Conditional Approval to import new consumer routers into the country, companies will have to provide certain information. This includes details about corporate structure including foreign government ownership, where the router is made and components are sourced from and, here is the kicker, "a detailed, time-bound plan to establish or expand manufacturing in the United States". 

Entirely missing is any need to provide a detailed, time-bound plan to make devices more secure. 

Ensuring a reliable and sovereign supply chain is one element of holistically securing consumer-grade routers, but it is not what we'd call low-hanging fruit. We'd have started with efforts to encourage manufacturers to adopt secure-by-design practices and implement NIST's advice. Quick wins could be had by assessing router security and linking tariff levels to results, so poor security results in higher tariffs. That would improve product security quick smart.  

As it is, moving the production of consumer routers to America won't make them more secure, just more expensive. 

Trump Cyber Strategy: Help Us Pummel Our Adversaries

The Trump administration's approach to harnessing the US private sector is becoming clear. Rather than unleashing firms to be pirates, it wants them to be the government's eyes and ears in cyberspace.

Last week, at an event at Auburn University's McCrary Institute, National Cyber Director Sean Cairncross spoke of, "the ability of our private sector to illuminate the battlefield from what they're seeing, to inform and share information so that the [US government] can respond to get ahead of things". 

So… just another information-sharing public-private partnership then? 

The history of cyber security policy is littered with moderately successful public-private partnerships where the incentives of both parties did not quite align. For many of those initiatives, companies hoped that the government would share ZOMG secrets that they could use to protect themselves. In reality, however, protecting the private sector from hackers is not a top intelligence priority for the government, and sharing is tricky because of classification issues. 

The new approach doesn't quite match the rhetoric of the recently released Trump Cyber Strategy which spoke of "unleash[ing] the private sector by creating incentives to identify and disrupt adversary networks". 

But even with the private sector relegated to a supporting role, we are optimistic. There is the potential for better alignment because the government wants to punish bad actors with information and support from the private sector. Capability and intent are better aligned.  

We expect good things.

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Four DDoS botnets disrupted: The US Department of Justice announced that an international effort disrupted the IoT botnets Aisuru, Kimwolf, JackSkid and Mossad. The effort involved authorities from Canada and Germany, who targeted individuals operating the botnets, and court-authorised domain seizures that were carried out by the Defense Criminal Investigative Service (DCIS) from the Department of Defense. The DoJ says the goal of the operation was to stop the botnets from being able to launch future attacks.
2. Japan's cabinet gives active cyber defence a green light: Last week Japan's cabinet approved active cyber defence operations. We don't expect any immediate sea change, but approve of the move. It makes sense for governments to actively try to shape the environment rather than being passive victims of cyber crime and espionage. 
3. Germany takes 0day VERY seriously: System administrators from affected companies received late night in-person visits from German police to warn them of a critical vulnerability in Windchill and FlexPLM, a product lifecycle management solution. It's good to see someone taking software bugs that seriously, although we wonder if the door knocking couldn't have waited till morning.  

Sponsor Section

In this Risky Business sponsor interview, Casey Ellis chats to Fletcher Heisler, founder and CEO of open source identity provider, Authentik. They chat about Extended Identity Access Management (XIAM), the company’s new acronym that has been seven years in the making.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss how Google just keeps on finding iOS exploit kits. Is iPhone security busted? And why are Russian state hackers after crypto?

Or watch it on YouTube!

From Risky Bulletin:

The Intellexa CEO is big mad!!! The CEO of a major spyware vendor says he is being scapegoated by the Greek government and is willing to testify and spill the beans on their illegal surveillance operations.

Intellexa CEO Tal Dilian is mad after a Greek court sentenced him, his wife, and two executives to more than 126 years in prison last month on generic charges of "violating the confidentiality of telephone communications."

The sentence is related to a major Greek political scandal known in Greece as Predatorgate, which this newsletter first covered back in December 2024.

[more on Risky Bulletin]

GitHub is starting to have a real malware problem: GitHub is slowly becoming a very dangerous website as more and more threat actors are starting to use it to host and distribute malware disguised as legitimate software repositories.

What started as an infrequent sighting in early 2024 is now at the center of an increasing number of infosec and malware reports.

The tactic is usually the same. A threat actor would take a legitimate repository, add malware to the files—typically an infostealer or a remote access trojan— and then upload the boobytrapped repo back on GitHub.

[more on Risky Bulletin]

AWS kills bucketsquatting: Amazon Web Services has rolled out a new security feature last week that will help customers prevent a type of attack known as S3 Bucket Namesquatting, or Bucketsquatting.

The attack was first described by cloud engineer Ian Mckay in 2019. It happens when an attacker abuses the predictable naming conventions in AWS bucket names to register buckets that have expired or have been deleted by their original owners.

If traffic still flows to the old buckets, this allows attackers to collect data from internal networks or public-facing apps, leading to serious security incidents.

[more on Risky Bulletin]