tip off

Crikey Clarifier: how the FBI hacked users of Tor, the ‘secret internet’

If Tor keeps users of the “secret internet” hidden, how could the FBI have tracked them down? Yes, it is difficult, but anyone who is going up against world governments should be prepared to lose. Our resident techhead explains.

If you ask a reasonably informed techhead how you can hide yourself from the comprehensive surveillance by the US National Security Agency (NSA), chances are they’ll recommend using Tor, a system for concealing your location on the internet, and therefore your identity. But you’d be a fool to imagine using Tor alone provides a magic cloak of invisibility, as alleged child p-rnographer Eric Eoin Marques recently discovered.

The Tor anonymity network started life as The Onion Router, a project funded by the US Naval Research Laboratory intended to help secure naval communications. Now it’s run by the Tor Project, a US-based non-profit with a diverse funding base including the US and Swedish governments, the US National Science Foundation and myriad small donors.

What the hell is it?

Images from Tor Project

It’s all in the name. Imagine that Alice wants to send a package to Bob and wants Bob to send a package back, but she doesn’t want Bob to know where she lives. (Alice and Bob are the traditional participants in these explanations.) Alice therefore enlists her friend Carol as a trusted intermediary. Alice puts her package for Bob in a bigger box addressed to Carol and sends it off. Carol opens the bigger box and sends the package inside on to Bob, having first added her return address. When the time comes for Bob to send his package back to Alice, he sends it to Carol. Carol puts the package back in the box that Alice sent and sends it on to her. Bob never learns Alice’s address, only Carol’s.

The problem with this simple set-up is that Bob could pressure Carol to reveal Alice’s address. To help prevent that, further intermediaries are added. Alice sends a huge box to Carol, who opens it and sends the box inside to Dan, who opens that box and sends it on to Evan and so on. The layers of boxes within boxes being gradually opened are like the layers of an onion being peeled back, hence The Onion Router.

How does the encryption work?

In Tor, each box-within-a-box is a layer of encryption. There’s a network of more than 4000 parcel-passers — Tor “nodes” running on computer capacity donated by the network’s users — and every time someone uses Tor, it chooses a different random path through that network. Browse to a different website and it’s a different random path again. Every node uses a different encryption key.

Data from half a million users is bouncing around this network randomly, so even if you intercept some of the traffic and, with massive computer power behind you, decrypt it, chances are you’ll merely peel back one layer of the onion, only to find another encrypted layer inside.

Tor can also be used to host “hidden services”, their location unknown to users. The most (in)famous is the Silk Road marketplace, which turns over about US$15 million a year, an estimated 70% of it illegal drugs. But like any tool, Tor is neutral. It can protect the identity of freedom fighters, whistleblowers, journalists’ sources, undercover cops or people simply wishing to retain their privacy, as well as that of criminals and enemy spies.

With your internet data being bounced randomly all over the world multiple times, and with all the maths-heavy encryption and decryption along the way, browsing the web through Tor is substantially slower than a direct connection. But the benefit is that for an outside observer, unravelling who’s connecting to what becomes an extremely difficult task.

Can it be cracked?

It’s not impossible. For a start, Tor users have to drastically change their habits to avoid revealing their internet address by other means. It’s long been known that nearly everyone’s specific configuration of web browser, plugins and so forth is unique, meaning it can be used as a fingerprint to identify your computer. Forgetting to use Tor when visiting just one website, which then logs your internet address, could provide the one correlating data point investigators need.

That’s how the FBI tracked Hector Xavier Monsegur, aka “Sabu”, a key member of the LulzSec hacker crew, to his New York apartment. As ”cyber-insecurity expert” Robert Graham wrote:

Just once, he logged onto IRC [internet relay chat] without going through Tor, revealing to the FBI his IP [internet] address. This reveals a little bit about the FBI, namely that they’ve infiltrated enough of the popular IRC relays to be able to get people’s IP addresses. We’ve always suspected they could, now we know.”

A Tor user could also be persuaded to visit a website that infected his or her computer with malware that reported its address or even scoured it for personal information — in our pass-the-parcel scenario that’s like Bob sending back a package with a hidden camera or some other booby trap. Or some of the 4000 Tor nodes could effectively be double agents, reporting back data from inside the system that could make it easier to unravel the connections.

Which brings us to Marques, a 28-year-old Dublin resident who was arrested earlier this month on charges that he is, in the words of the FBI, “the largest facilitator of child p-rn on the planet”. According to a blog post by the Tor project’s executive director Andrew Lewman, Freedom Hosting, a provider that specialises in Tor hidden services and from which, it is alleged, Marques’ services were operating, had been hacked and was attempting to infect visitors’ computers — exactly that booby-trapped package scenario.

Do “legitimate” users need to worry?

While taking down an alleged child p-rnographer is a clear win, this should also serve as a wake-up call to “legitimate” Tor users, according to security and intelligence commentator John Little in a post at his fine Blogs of War entitled “Tor and the Illusion of Anonymity”:

Tools are not perfect and in the case of widely used tools like Tor they are also incredibly high-profile targets. Intelligence and law enforcement agencies are in search of secrets and they will go wherever those are found. They will crack open those layers of secrecy whatever the cost.

If you think you can subscribe to a VPN, fire up Tor, and take on a world power you are in for a very rude awakening.”

Indeed, Bangkok-based security researcher “The Grugq” explains the complexities of online operational security (OPSEC, as spooks call it) at his blog Hacker OPSEC and in presentations like OPSEC for Hackers:

The financial cost of compromising the Tor network is not even a rounding error in a nation state budget. Furthermore, Tor is not new. It isn’t as if nation state level adversaries just woke up last week, ‘Holy shit, this Tor thing! We better get on that!’. It is conceivable that a nation state has been setting up cover organisations, using agents, and compromising existing hosts for years with the sole goal of subverting the security of the Tor system.”

As Little puts it:

Online anonymity is still possible but it is not something within the grasp of the casual user and it is not available via a simple software solution. You have to work for it, you have to have technical expertise, you have to sacrifice time and online social interaction.”

Stilgherrian adds: An earlier version of the headline on this story read as if the FBI had hacked Tor. As far as we know, this isn’t the case. The FBI appears to have hacked the computers of some Tor users by exploiting a month-old vulnerability in the Firefox web browser, which had previously been distributed with a package of software including Tor. There’s a message there about updating all your software promptly, whoever you are.

5
  • 1
    Posted Tuesday, 13 August 2013 at 2:14 pm | Permalink

    Thanx for this explanation, which I found most helpful. Why did the US Naval Research Laboratory release the Onion Router to the public?

  • 2
    Malcolm Street
    Posted Wednesday, 14 August 2013 at 7:41 am | Permalink

    Another thanks for an excellent intro - just what a Clarifier shoudl be. Gavin - What better way to keep track of people who have stuff to hide than to release a “secure” network that you’ve embedded back doors in

  • 3
    Posted Wednesday, 14 August 2013 at 7:44 am | Permalink

    An intriguing suggestion Malcolm, thanx.

  • 4
    himi
    Posted Wednesday, 14 August 2013 at 9:16 am | Permalink

    I expect it was a result of the US government policy that all publically funded research should be put into the public domain - one of the things that they get right when compared to the way we do things here in Australia.

    himi

  • 5
    Posted Wednesday, 14 August 2013 at 4:45 pm | Permalink

    We’ve just made an edit to the headline and subhead paragraph of this story to make it clear that the FBI didn’t hack the Tor network itself — at least as far as is known — but the computers of various users.

    As an analogy, the bandits didn’t rob the train, they caught the train to the hidden city and robbed its bank, catching the train back again.

    @Gavin Moodie: Yep, himi has it right. The US NRL is a basic science establishment, so the rules for government-funded academic research apply. They do the science, and then defence contractors secretly use that science the engineer new technology.

Womens Agenda

loading...

Smart Company

loading...

StartupSmart

loading...

Property Observer

loading...