THE ROLODEX
The ASD did not respond to a request for comment. The UK's Government Communications Headquarters (GCHQ) said it “does not comment on operational matters or relationships with industry,” and Canada's Communications Security Establishment (CSE) said it "is unable to comment on capabilities or operational matters," but emphasised its operations are carried out legally.Two sources said Azimuth has dealt with the FBI. One specified Azimuth has provided the FBI with an exploit to break through the Tor Browser, a modified version of Firefox used to connect to the so-called dark web. Tor routes a user’s traffic through multiple computers around the world, before connecting to whatever site or service the user is trying to reach. This means law enforcement can have a harder time determining where a target is located, and so agencies may deploy a hacking tool to track the suspect down, bypassing the protections of Tor. High-ranking US Department of Justice officials have complained in the past that Tor and encryption have created a “zone of lawlessness.”An FBI spokesperson told Motherboard in an email “The FBI does not comment on specific tools or techniques utilized in criminal investigations.”Azimuth also has zero-days for remotely hacking Android devices and iPhones
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, and Lorenzo Franceschi-Bicchierai on Signal on +1 917 257 1382. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here.
THE BRIDGE
Linchpin tells its clients not to share tools among agencies, and may, in some cases, help clients tweak or fix their payload—the piece of software the exploit is ultimately designed to deliver—according to one source. This malware might do everything you would expect a spy to be after: remotely turning on a phone's mic or camera; collecting files stored on the computer, or reading messages. Malware is especially useful for circumventing encryption on messages from apps such as Telegram or WhatsApp: it can record any message before the app encrypts it.On top of Linchpin’s intelligence agency links, another reason Azimuth’s exploits are sold to relatively few customers is that Dowd, the Azimuth co-founder, cares who uses his company's tools, according to multiple sources."Think of them as law enforcement friendly. So if [a law enforcement agency] has a case that's hard and they've got legal backing, they help."
THE INDUSTRY
For comparison, a remote exploit for Firefox can go for $200,000, one for the Tor Browser can be worth $150,000 or $250,000, and one for Chrome that allows an attacker to escape the program’s sandbox can go for between $500,000 and $1 million, according to people familiar with the market."The prices are ten times what we could've ever asked for back then."
But, to be clear, while western agencies may use hacking in cases of terrorism or other high profile investigations, they can still use the same tools in disproportionate or unlawful ways. In a 2013 child pornography investigation the FBI deployed an exploit against users of a privacy-focused email service, including those not suspected of a crime. The FBI has also used a Tor Browser exploit to hack into thousands of computers across the world using a single legally contentious warrant.One researcher who left the industry told Motherboard that many vendors do not know how their exploits are ultimately used, although he was not speaking specifically about Azimuth or Linchpin.“The only way to know with certainty is when you see that your exploit has been used in a public attack. That’s it,” they added. Some contractors may have staff with security clearances who are briefed on or closer to operations, though.Brown, the president of cybersecurity company Exodus Intelligence, told Motherboard that "short of agreements and all of that, it's really hard to control,” how a client may use an exploit. Exodus previously sold a Tor Browser zero-day to a law enforcement agency, which then deployed the exploit in a sloppy, broad manner. It was quickly detected and fixed, rendering the attack much less effective. Brown said blacklisting an offending client may be a deterrent, especially when zero-day vendors communicate with one another.The exploit market is here to stay, but companies that only sustain themselves by researching and hacking high-value, well-defended targets, such as Chrome or iOS are going to have a hard time surviving as those targets get tougher and tougher to hack, according to a hacker who used to work in the intelligence community .“I do see a future where this market is going to be more and more difficult to the point that it won't be a sustainable business model," he said. “You can’t put all your marbles in this one bucket. It's risky."Azimuth buys hundreds of iPhones for development purposes, according to a source. But in January Dowd tweeted that the company just bought Corellium, a state-of-the-art piece of software that emulates the iPhone, which gives the company an additional way of probing iOS. Dowd said Azimuth is the company’s first customer.“Sweet,” Dowd wrote on Twitter, referring to Corellium. “This is basically magic.”Get six of our favorite Motherboard stories every day by signing up for our newsletter.“These companies aren't doing anything inherently shady.”