Was the FBI Responsible for Sunday’s Tor Exploit?

Aug 07, 2013 • Freedom, Privacy, teh inetrwebz, web

did the FBI use malware to get information on Tor users?

Anonymity went out the window for many Tor users on Windows when a server began injecting a malcious bit of JavaScript on pages delivered to users. Tor, an anonymity network that directs traffic over a network of relays to conceal users’ location and traffic online, is a critical tool for dissidents, activists and journalists. The network was originally designed and implemented as an onion routing project of the United States Naval Research Laboratory, in order to enable secure government communications.

On Sunday, malicious software, known as malware, was identified on several sites hosted by Freedom Hosting, which provides consumers the ability to run hidden services, designed to protect their creators from being identified. While these are used for legitimate reasons, many hidden services are used for criminal purposes as well. Freedom Hosting is known to host the fraud and hacking board HackBB. In 2011, Freedom Hosting was targeted for a distributed-denial-of-service attack by Anonymous for hosting some of the most notorious child pornography sites online.

The company became widely known for having a very “hands off” approach — while they warned against doing anything illegal, their terms clearly indicated their position should a customer do anything illegal: “if you choose to do so anyway, we’re not responsible for your actions.”

“The vulnerability [in Firefox, on which the Tor browser is based] allows arbitrary code execution, so an attacker could in principle take over the victim’s computer,” the Tor Project advisory read. “However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services. We don’t currently believe that the attack modifies anything on the victim computer.”

Last week, the U.S. Federal Bureau of Investigation arrested 28-year-old Eric Eoin Marques, the owner and operator of Freedom Hosting for his role in hosting and facilitating child pornography. According to Motherboard, “shortly after Marques’s arrest, around half of Freedom Hosting’s hidden services reportedly experienced malware attacks, and some went down.”

Though this is a victory over child pornography, the repercussions extend far beyond it. Of the sites affected, many had nothing to do with sexual or suggestive images of minors. Wired reports that TorMail, the secure e-mail provider, was among the affected sites. Kevin Poulsen writes:

Tor hidden services are ideal for websites that need to evade surveillance or protect users’ privacy to an extraordinary degree — which can include human rights groups and journalists. But it also naturally appeals to serious criminal elements.

The inevitable conclusion is that the malware is designed specifically to attack the Tor browser. The strongest clue that the culprit is the FBI, beyond the circumstantial timing of Marques’ arrest, is that the malware does nothing but identify the target. The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.

In short, [the malware] reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.

“This wasn’t the first Firefox vulnerability, nor will it be the last,” the Tor Project warns users in its advisory. “Be aware that many other vectors remain for vulnerabilities in Firefox. JavaScript is one big vector for attack, but many other big vectors exist, like css, svg, xml, the renderer, etc.”

As for Windows — “switching away from Windows is probably a good security move for many reasons.” Gizmodo has a guide on how to continue using Tor safely on a Windows machine.

You can read more about how Tor works and the recent exploit on ZDNet. Patrick Howell O’Neill has the best write-up about Dark Net, Freedom Hosting and the events surrounding the capture of Marques.

Header image by Aleksandar Cocek.