The critical vulnerability in the TAILS operating system discovered by researchers at Exodus Intelligence lies in the I2P software that’s bundled with the OS and the company has released some details and a video demonstrating an exploit against the bug. Exodus researchers said that the vulnerability can be used for remote code execution as well as de-anonymization of targeted users on TAILS.
I2P is an anonymity network, somewhat analogous to Tor, that encrypts all of its communications from end to end and enables private and anonymous use of the Internet and resources such as email, chat and Web browsing. Unlike Tor, however, I2P is a packet switched network, rather than a circuit switched one, and the communications its users send and receive are message-based. Each I2P node has an identical level of importance in the network and there are no central servers routing traffic.
Exodus researchers said that the flaw they discovered is present in TAILS for several versions, meaning its effect could be quite widespread.
“The vulnerability we will be disclosing is specific to I2P. I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage. The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work,” the Exodus team wrote in a post explaining a bit about the flaw.
The company disclosed the details of the vulnerability to the TAILS team on Wednesday, shortly before publishing the outline of the problem. Some in the security community criticized Exodus for not disclosing the bug to the TAILS developers earlier, given the nature of the software and the fact that it’s used by people in sensitive situations with acute needs for privacy and anonymity. Version 1.1 of TAILS was released on Tuesday, and the vulnerability Exodus discovered was not fixed in that release.
Part of Exodus’s business model includes selling vulnerability details to private customers for offensive and defensive purposes. Aaron Portnoy, co-founder and vice president of Exodus, said the company was not selling the TAILS vulnerability and was mainly interested in bringing attention to the fact that no software should be considered secure, even tools such as TAILS.
“Our main goal…was to bring attention to the fact that no software is infallible and those seeking anonymity should not blindly trust a software recommendation (even if it is from Snowden),” Portnoy said via email.
“Disclosure of vulnerabilities takes many forms, particularly their shape is adapted to the landscape that the platform is used upon. In the past at Exodus Intelligence, we’ve felt that significant vulnerabilities have been disregarded and have not had the requisite exposure. Through appropriate airing of the issue, we feel that users of such security platforms may come to understand the risks in base-level trust,” Exodus said in its post.
“Even further we hope to break the mold of unconditional trust in a platform. Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security. It’s not enough to have faith upon security, rather to have an understanding of it. If the public thinks Exodus is one of a few entities finding bugs in software, they are grossly misinformed. As is the case with all vulnerabilities we report to vendors, we do not ask for any remuneration. All flaws that we give to vendors are given free of charge. All accusations of extortion perpetuated by those unfamiliar with our business model are completely unfounded.”
Representatives of the TAILS project did not respond to an email requesting a comment.