FBI Mum on How Exactly It Hacked Tor

tor cloud

The FBI has refused to comply with a judge’s request to describe how it was able to compromise Tor and trigger a wave of child pornography investigations last year.

As Apple’s attorneys mull over their legal options for having the FBI explain how it hacked Syed Farook’s iPhone, a separate case playing out involving the security service and the anonymity software Tor may have a hand in predicting the outcome.

According to a court filing earlier this week, the FBI is refusing to comply with a judge’s request to answer just how it was able to compromise Tor and in turn, trigger a wave of child pornography investigations last year.

The FBI urged the judge, Robert J. Bryan, to reconsider his request in a document, filed with the United States District Court for the Western District of Washington at Tacoma.

As a result of one of those investigations, Jay Michaud, a public school teacher from Vancouver, Wash., was arrested and charged with child pornography possession in July 2015. Michaud was one of 137 charged following a sting the FBI staged in February that year in which it monitored “Playpen,” a child pornography site hosted on the dark web.

After it seized servers belonging to “Playpen,” the agency hosted the site on its own servers for 13 days to spy on patrons.

To do so, the FBI carried out a NIT, or network investigative technique, and bypassed Tor to gather IP addresses, MAC addresses, and other bits of information on the suspects. Judge Bryan issued an order in February asking the FBI to explain how exactly it was able to subvert Tor. The order was prompted partly because lawyers for Michaud argued that some parts of the code the agency initially disclosed appeared to be absent.

The attorneys, assisted by Vlad Tsyrklevitch, an expert recruited by the defense, reasoned that the FBI should willingly share all of the code it used to hack Michaud’s computer.

“This component is essential to understanding whether there were other components that the Government caused to run on Mr. Michaud’s computer, beyond the one payload that the Government has provided,” the lawyers wrote in a filing at the time.

In the document filed this week, Daniel Alfin, a Special Agent with the FBI, wrote that disclosing the exploit would say nothing about what happened after the FBI was on his machine.

Alfin rationalizes that the exploit the FBI used to deliver the NIT that was able to bypass the security protections on Michaud’s computer is not necessary to their case.

“Knowing how someone unlocked the front door provides no information about what that person did after entering the house,” Alfin wrote, “Determining whether the government exceeded the scope of the warrant thus requires an analysis of the NIT instructions delivered to Michaud’s computer, not the method by which they were delivered.”

For what it’s worth, Alfin even offered to show Tsyrklevitch a copy of the data stream Michaud’s computer sent to the government after the NIT was executed. He claims the stream would help verify that the identifier – a mark assigned to his addresses – was unique and that there were no duplicate identifiers.

It’s the latest issue to make headlines involving the FBI allegedly manipulating Tor in the last year. Officials with the Tor Project called out the agency last summer for allegedly paying Carnegie Mellon University $1 million to uncloak Tor users and reveal their IP addresses. A federal judge ultimately confirmed their suspicions in February this year in a motion to compel discovery. Judge Richard A. Jones said the IP address of Brian Farrell, who had been accused of running the now defunct Silk Road 2.0 website, was ferreted out by researchers at the Software Engineering Institute (SEI) researchers and given to the FBI after it subpoenaed Carnegie Mellon University.

The anonymity tool has proved invaluable for embattled users and journalists in countries that censor or repress their citizens, but its use as a tool by attackers in spam and fraud campaigns has made it a constant target for authorities.

According to research published by DNS provider Cloudflare this week, 94 percent of the requests it sees come across Tor are intrinsically malicious.

Matthew Prince, the company’s CEO, claims his developers regularly observe instances of comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning – so much so that the service has taken to treating Tor traffic like it comes from its own country. At least in the sense that it recently began allowing its customers to do things like whitelist Tor traffic, and force Tor users to fill out CAPTCHAs.

CAPTCHAs aren’t ideal by any measure, really they’re a pain, Prince claims, but acknowledges the company is working on a better way to differentiate human Tor traffic and automated Tor traffic, and the puzzles it supplies them, going forward.

Needless to say, it’s been a struggle for Cloudflare to find a balance between anonymity and security and that’s forced the company’s hand into sacrificing convenience for those users, Prince claims.

“While we could probably do things using super cookies or other techniques to try to get around Tor’s anonymity protections, we think that would be creepy and choose not to because we believe that anonymity online is important,” Prince said, “Unfortunately, that then means all we can rely on when a request connects to our network is the reputation of the IP and the contents of the request itself.”

Suggested articles


  • MajorLunaC on

    "The anonymity tool has proved invaluable for embattled users and journalists in countries that censor or repress their citizens" - So shouldn't the method the FBI used be considered a vulnerability? And by not disclosing it, doesn't the FBI put in danger the lives of those "embattled users and journalists in countries that censor or repress their citizens"? Now that other countries know it can be done, they will find out how, and hunt down whoever they please, not just criminals.
  • BT7474 on

    Replying to Treatpost's email asking me do I want to reply to the, 'FBI Mum on How Exactly It Hacked Tor' by Chris Brook. The more I analyse the FBI's Trojan Case the more ironical (funny and stupid) it is. It appears to be the case the blind following the blind, and a complete fiasco. The FBI initiating the Court Case was extremely stupid. For example because it is now obvious to any competent hackers that the FBI is completely out of their league. It wouldn't surprise me if the attacks on the FBI will be escalated. Apple fighting principally on, 'Privacy' is also dumb. This is because only an idiot or cretin would try to defend a virtually entirely loss strategy, 'Privacy'. I would principally; attack or counter-attack by highlighting the actual dangers involving; terriosts and criminals killing probably at least thousands of people annually extra - creating bombs from for example most electronic or things with electronics included; airplanes, toys, cars, traffic lights, TVs computers, (I am certain that counterfeit parts were found on Air Force One in the past, which was a security risk, which means that backdoors, demanded by the FBI, would also be a security risk) etcetera - Backdoors would also make it easier to steal from for example; stockmarkets, banks, financial institutions, and companies etcetera - Offshore banks would virtually be obsolete. Apple was lucky that the FBI didn't continue the case, because 99% certain that Apple would have loss. This is because if the police in for example the; UK and USA could easily find judges that would rubber stamp warrants even probably without reading the warrant. Anything based on National Security definitely would probably would be rubber stamped unless Apple has an excellent counter-attack for example much more people including security staff would be killed or stockmarket and international banks would lose trillions with the public being aware of the loss. It wouldn't suprise me if the story about the FBI Mum knew how it was done, because it shouldn't take long for somebody to either; hack the FBI or the organization that solved the problem or members of the FBI tell the wrong person directly or indirectly. Only cretins really stupid idiots with the lack of Cyber War expertise that the FBI has would trust the FBI to be able to secure the solution directly or indirectly. Therefore, if Apple wants to win it has to wake up and smell the coffee - highlight all of the real bullet points, because fighting the case virtually just on Privacy loses. There are far too many problems for the security forces around the world to create more problems. Especially when there are too many problems at the moment for example Stagefright probably still affecting 95% = 950 million Android devices, which most people are unaware of.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.