The TOR Project (The Onion Router) ability to protect its users’ anonymity has been in question for quite a while. The FBI has remained understandably tight lipped about how they managed to uncover information leading to the IP address and subsequent capture of Ross Ulbricht, the owner of the Silk Road. A later investigation code named Operation Onymous was immensely successful as well. With the cooperation of several agencies authorities were able to take down Silk Road 2.0, a top staffer there- as well as several other darknet market places (over 400 URLs representing 27 unique sites).
Questioning the FBI’s Source of Information
After being in the dark for quite some time, light has finally been shed on how agencies like the FBI have been able to deanonymize TOR so successfully. According to court documents reviewed by Vice Motherboard the FBI enlisted a ‘university-based research institute’ in order to crack into the TOR program and deanonymize users.
The court documents were submitted for the case of Brian Richard Farrell who was a high ranking staff official at Silk Road 2.0. According to Vice Motherboard the search warrant that was carried out in January of this year says that an FBI “Source of Information” provided “reliable IP addresses for Tor and hidden services such as SR2” from January 2014 to July 2014. The document went on to say “The SOI [source of information] also identified approximately 78 IP addresses that accessed a vendor .onion address.”
Then on October 12, 2015 the defense for Mr. Farrell filed a surprising motion. A motion for further discovery about the warrant reads, “…the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0.”
However, the government has yet to provide further information.
The Plot Thickens
This raised red flags with the head of the TOR project. For one thing, in the last week of July in 2014 TOR announced via blog post that they, “found a group of relays that we assume were trying to deanonymize users.”
The post goes on to say that (emphasis mine) “The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.”
To add to an accruing amount of coincidences, a high profile talk at the Black Hat hacking conference scheduled for the following month of August in 2014 was cancelled by the CERT team at Carnegie Mellon University. The name of the briefing? “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget.” The talk planned to unveil how you could unmask TOR hidden services and users with a measly $3,000 worth of equipment. Which coincidentally enough, exploited the same vulnerability that TOR had discovered and patched in July.
In a blog post on November 11th, 2015 the TOR project pointed out consistencies between the FBI’s SOI-‘university-based research institute’- and an attack on TOR during the same time frame.
The TOR post even goes as far as to claim the the team at Carnegie Mellon University received a million dollar payment from the FBI for their assistance in providing the IP addresses. However, the source is unnamed.
For now there is no hard or forensic evidence to definitively link CMU to hacking TOR, but all signs are pointing in their direction.
Coincidences and Allegations
However, assuming that it is true that CMU carried out the attack on behalf of the FBI, the problem with this type of unethical behavior is that it is blurring the line between research and investigation.
Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.
There is no evidence as of yet that there was any warrant from the government’s side or institutional oversight from CMU’s side during the course of the hacking. The TOR project posted, “We think it’s unlikely they could have gotten a valid warrant for CMU’s attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.”
This kind of behavior foreshadows a creepy future. One in which the government can use the ploy of research through educational institutions in order to circumvent investigative regulations- essentially “outsourcing police work”- as the blog post puts it. Those at the TOR project have never been against private security research that takes place in a responsible manner. They even work with authorities to support ethical investigations. But they stop short of allowing “the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people’s privacy, and certainly cannot give it the color of “legitimate research”.”
This mass surveillance is exactly the reason why the TOR project was created and has been so popular. Simply using the “veneer of a law enforcement investigation” to again put every user’s privacy at risk only moves the clock backwards. There is a time, place, and method for conducting legitimate research, via Institutional Review Boards and proper oversight.
Confirming nor Denying the Attack on The TOR Project
The response from CMU did not ease any doubt about what exactly happened. If anything it only perpetuates the claims made by the TOR project.
In response, Ed Desautels, a spokesman for Carnegie Mellon’s Software Engineering Institute, cryptically said, “I’d like to see the substantiation for their claim, I’m not aware of any payment.”
If you take your privacy as seriously as we do, then you should follow @LiquidVPN
You can follow the author @FreelanceTony
Sharing is Caring