For several years, FBI agents have been taking an unusual approach to detective work online – using malware against suspects who have not been proven guilty, just visited the wrong site.
Wired’s Kevin Poulsen has a detailed analysis of the attacks, and their context: “For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.”
If true, the technique is at least controversial, and possibly questionable in legal terms. The technique, which Poulsen’s sources claim has been in use for years, relies on a “drive-by download” where site visitors are infected with malware – in this case, to de-anonymize users of child pornography sites.
Most high-profile arrests of the administrators of Tor “hidden service” sites have relied on alleged perpetrators leaking information in the real world – as in the case of the arrest of alleged Silk Road founder Ross Ulbricht.
Tor’s security – best understood as a layered onion skin – hence the name ‘Onion Router’ – bounces signals round thousands of relays, making sites and users hard to trace.
It is claimed that the FBI malware not only logged MAC addresses, but persisted on victim computers for years after they had visited “hidden services” alleged to host child pornography.
Designed with the help of U.S. military experts, The Tor Project is still heavily funded by the U.S. government – even the NSA grudgingly admits it is “the king” of anonymity – but its dark web sites are now full of discussions about thieves, informers, hackers, and PGP keys.
Tor is a privacy tool which allows users to access “hidden” sites, with the .onion suffix, which cannot be accessed via regular web browsers – users instead use customized bundles of open-source browsers. It’s used by political activists – but also plays host to markets selling child pornography, hacked data, drugs and weaponry.
Forbes commented: “Because looking at child porn is a crime, it’s a fairly unobjectionable deployment of FBI spyware but the method — which the FBI calls the “network investigative technique” — raises questions about when else law enforcement might feel it has the right to drop spyware on your computer just for visiting a website. Will browsing an online drug bazaar get you reported to the cops even if you don’t buy?”
Tor has been in the news constantly after an alleged attack aimed at de-anonymizing users, which was due to be part of a presentation at Black Hat 2014, but was pulled amid legal concerns.
“This is such a big leap, there should have been congressional hearings about this,” says ACLU technologist Chris Soghoian, an expert on law enforcement’s use of hacking tools. “If Congress decides this is a technique that’s perfectly appropriate, maybe that’s OK. But let’s have an informed debate about it.”
Several high profile arrests have been linked to suspected outbreaks of ‘de-anonymizing’ malware on Tor. 28-year-old Eric Eoin Marques, described as “the largest facilitator of child porn on the planet”, was arrested after unknown software harvested PC MAC addresses and sent them to a remote webserver.
It’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services,” Tor said in its official post.
Wired’s Threat Level blog claimed the information was being sent to an address in Virginia, home of the FBI.
Poulsen’s in-depth report claims that agents installed the malware on “hidden services” after arresting an American man for hosting child pornography. Visitors to his sites then had their MAC and IP address logged – big news on Tor. Poulsen reports that “over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result” according to Gizmodo.
Slashdot users were dismissive – one said ,”In a nutshell, they simply had any computer that contacted the web site send back the computer’s real IP address and its MAC address. The actual security of the Tor wasn’t affected. Just that compromising information was sent through the Tor network. Just as any other data would be sent through the Tor network.”
Author Rob Waugh, We Live Security