Feds used Adobe Flash to identify Tor users visiting child porn sites

A little more than 16 months ago, word emerged that the FBI exploited a recently patched Firefox vulnerability to unmask Tor users visiting a notorious child pornography site. It turns out that the feds had waged an even broader uncloaking campaign a year earlier by using a long-abandoned part of the open source Metasploit exploit framework to identify Tor-using suspects.

The Decloaking Engine went live in 2006 and used five separate methods to break anonymization systems. One method was an Adobe Flash application that initiated a direct connection with the end user, bypassing Tor protections and giving up the user's IP address. Tor Project officials have long been aware of the vulnerability and strenuously advise against installing Flash. According to Wired:

The decloaking demonstration eventually was rendered obsolete by a nearly idiot-proof version of the Tor client called the Tor Browser Bundle, which made security blunders more difficult. By 2011, Moore says virtually everyone visiting the Metasploit decloaking site was passing the anonymity test, so he retired the service. But when the bureau obtained its Operation Torpedo warrants the following year, it chose Moores Flash code as its network investigative techniquethe FBIs lingo for a court-approved spyware deployment.

Torpedo unfolded when the FBI seized control of a trio of Dark Net child porn sites based in Nebraska. Armed with a special search warrant crafted by Justice Department lawyers in Washington DC, the FBI used the sites to deliver the Flash application to visitors browsers, tricking some of them into identifying their real IP address to an FBI server. The operation identified 25 users in the US and an unknown number abroad.

Gross learned from prosecutors that the FBI used the Decloaking Engine for the attack they even provided a link to the code on Archive.org. Compared to other FBI spyware deployments, the Decloaking Engine was pretty mild. In other cases, the FBI has, with court approval, used malware to covertly access a targets files, location, web history and webcam. But Operation Torpedo is notable in one way. Its the first timethat we know ofthat the FBI deployed such code broadly against every visitor to a website, instead of targeting a particular suspect.

The tactic is a direct response to the growing popularity of Tor and, in particular, an explosion in so-called hidden servicesspecial websites, with addresses ending in .onion, that can be reached only over the Tor network.

Hidden services are a mainstay of the nefarious activities carried out on the so-called Dark Net, the home of drug markets, child porn, and other criminal activity. But theyre also used by organizations that want to evade surveillance or censorship for legitimate reasons, like human rights groups, journalists, and, as of October, even Facebook.

A big problem with hidden service, from a law enforcement perspective, is that when the feds track down and seize the servers, they find that the web server logs are useless to them. With a conventional crime site, those logs typically provide a handy list of Internet IP addresses for everyone using the site quickly leveraging one bust into a cascade of dozens, or even hundreds. But over Tor, every incoming connection traces back only as far as the nearest Tor nodea dead end.

Taken together, Operation Torpedo and the campaign used last year to identify Tor-using child porn suspects demonstrate the determination feds show in bypassing Tor protections. They also underscore the feds' rapidly growing skill. Whereas Operation Torpedo abused a six-year-old weakness that ensnared only people who ignored strenuously repeated advice, the latter operation exploited a vulnerability that had only recently been patched in Firefox.

Read the original here:
Feds used Adobe Flash to identify Tor users visiting child porn sites