FBI Mum on How Exactly It Hacked Tor

tor cloud

The FBI has refused to comply with a judge’s request to describe how it was able to compromise Tor and trigger a wave of child pornography investigations last year.

As Apple’s attorneys mull over their legal options for having the FBI explain how it hacked Syed Farook’s iPhone, a separate case playing out involving the security service and the anonymity software Tor may have a hand in predicting the outcome.

According to a court filing earlier this week, the FBI is refusing to comply with a judge’s request to answer just how it was able to compromise Tor and in turn, trigger a wave of child pornography investigations last year.

The FBI urged the judge, Robert J. Bryan, to reconsider his request in a document, filed with the United States District Court for the Western District of Washington at Tacoma.

As a result of one of those investigations, Jay Michaud, a public school teacher from Vancouver, Wash., was arrested and charged with child pornography possession in July 2015. Michaud was one of 137 charged following a sting the FBI staged in February that year in which it monitored “Playpen,” a child pornography site hosted on the dark web.

After it seized servers belonging to “Playpen,” the agency hosted the site on its own servers for 13 days to spy on patrons.

To do so, the FBI carried out a NIT, or network investigative technique, and bypassed Tor to gather IP addresses, MAC addresses, and other bits of information on the suspects. Judge Bryan issued an order in February asking the FBI to explain how exactly it was able to subvert Tor. The order was prompted partly because lawyers for Michaud argued that some parts of the code the agency initially disclosed appeared to be absent.

The attorneys, assisted by Vlad Tsyrklevitch, an expert recruited by the defense, reasoned that the FBI should willingly share all of the code it used to hack Michaud’s computer.

“This component is essential to understanding whether there were other components that the Government caused to run on Mr. Michaud’s computer, beyond the one payload that the Government has provided,” the lawyers wrote in a filing at the time.

In the document filed this week, Daniel Alfin, a Special Agent with the FBI, wrote that disclosing the exploit would say nothing about what happened after the FBI was on his machine.

Alfin rationalizes that the exploit the FBI used to deliver the NIT that was able to bypass the security protections on Michaud’s computer is not necessary to their case.

“Knowing how someone unlocked the front door provides no information about what that person did after entering the house,” Alfin wrote, “Determining whether the government exceeded the scope of the warrant thus requires an analysis of the NIT instructions delivered to Michaud’s computer, not the method by which they were delivered.”

For what it’s worth, Alfin even offered to show Tsyrklevitch a copy of the data stream Michaud’s computer sent to the government after the NIT was executed. He claims the stream would help verify that the identifier – a mark assigned to his addresses – was unique and that there were no duplicate identifiers.

It’s the latest issue to make headlines involving the FBI allegedly manipulating Tor in the last year. Officials with the Tor Project called out the agency last summer for allegedly paying Carnegie Mellon University $1 million to uncloak Tor users and reveal their IP addresses. A federal judge ultimately confirmed their suspicions in February this year in a motion to compel discovery. Judge Richard A. Jones said the IP address of Brian Farrell, who had been accused of running the now defunct Silk Road 2.0 website, was ferreted out by researchers at the Software Engineering Institute (SEI) researchers and given to the FBI after it subpoenaed Carnegie Mellon University.

The anonymity tool has proved invaluable for embattled users and journalists in countries that censor or repress their citizens, but its use as a tool by attackers in spam and fraud campaigns has made it a constant target for authorities.

According to research published by DNS provider Cloudflare this week, 94 percent of the requests it sees come across Tor are intrinsically malicious.

Matthew Prince, the company’s CEO, claims his developers regularly observe instances of comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning – so much so that the service has taken to treating Tor traffic like it comes from its own country. At least in the sense that it recently began allowing its customers to do things like whitelist Tor traffic, and force Tor users to fill out CAPTCHAs.

CAPTCHAs aren’t ideal by any measure, really they’re a pain, Prince claims, but acknowledges the company is working on a better way to differentiate human Tor traffic and automated Tor traffic, and the puzzles it supplies them, going forward.

Needless to say, it’s been a struggle for Cloudflare to find a balance between anonymity and security and that’s forced the company’s hand into sacrificing convenience for those users, Prince claims.

“While we could probably do things using super cookies or other techniques to try to get around Tor’s anonymity protections, we think that would be creepy and choose not to because we believe that anonymity online is important,” Prince said, “Unfortunately, that then means all we can rely on when a request connects to our network is the reputation of the IP and the contents of the request itself.”

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business