Inside the Tor exploit

Some of the people who were most concerned about Internet privacy, and were using the Tor anonymous Internet service to protect it, may have been the most exposed.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Everyone agrees that child pornography is evil. Along the way to tracking down Eric Eoin Marques, whom the FBI has called "the largest facilitator of child porn on the planet,"  the government agency, with the possible assistance of the NSA, broke into the Tor anonymous network, injected JavaScript malware into the Tor specific version of Firefox, and obtained the Internet addresses of untold numbers of Tor users.

Here's how it was done.

Tor, which is recommended by the Electronic Frontier Foundation (EFF), for helping you to "protect your anonymity while using the Internet" is made up of two parts: Software and the Tor network.

The software's, known as the Tor Browser Bundle, main component is a customized version of the Mozilla Firefox Extended Support Release (ESR). It can be used on Linux, Mac OS, and Windows. 

The network is made up of Internet routers ran by volunteers who believe in the value of Internet anoymoity. These routers are also known as relays.

When you first use Tor, your traffic is encrypted and bounced from one Tor relay to another. (Credit: EFF)

When you start using Tor, your Internet traffic, instead of going directly to the Web site you want to visit, is encrypted and goes to a Tor relay. Once there your traffic goes from one relay to another and then finally re-enters the ordinary Internet and arrives at your destination. The return traffic then follows a similar path back to you.

When you move to another site, your traffic takes a new encrypted path over the Tor network. (Credit: EFF)

If you then move on to another site, a new path is made over the available Tor relays to take you to your next Web-site. What all this means is that if someone tries to back track you to your home IP address they'll only get as far as the last Tor relay before losing you.

By using both encryption and multiple anonymous links, Tor was designed both to prevent your traffic from being read and to make it impossible to use traffic analysis to determine what you were doing on the Web.

Some of the Tor routers are servers as well, which can only be reached over Tor. These are known as "hidden services."

According to Tor, with a hidden service it's "possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Using Tor 'rendezvous points,' other Tor users can connect to these hidden services, each without knowing the other's network identity. This hidden service functionality could allow Tor users to set up a website where people publish material without worrying about censorship. Nobody would be able to determine who was offering the site, and nobody who offered the site would know who was posting to it." In short, while Tor offered anonymity to its users, Tor's hidden services offered anonymity to relay owners.

That was the theory anyway. It didn't work out that way.

Tor states that there is "There is no central repository nor registry of addresses" of these hidden service relays. "The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the Web pages delivered by the server."

That's pretty much what happened, except it was malicous bit of JavaScript. 

The FBI, possibly with the assistant of the NSA and the private security contractor SAIC, broke into hidden service servers and planted JavaScript malware on them. Among other hidden services sites it did this with was Marques' Freedom Hosting  server. Once there,  the sites infected any visitors using the TBB Firefox browser.

This exploit used a known and patched Firefox security hole. Mozilla had fixed this hole in its latest browser, Firefox 21, and Firefox ESR 17.0.7.  Not all versiosn of Firefox shipping with the TBB, however, had been patched, according to Daniel Veditz, Mozilla's security lead.

The malware seems to have been in place for several weeks. While the exploit could have been used to do anything up to and including taking over a system, all it did was "collect the hostname and MAC [media access control] address of the victim computer [and] send that to a remote Web-server over a non-Tor connection, and then crash or exit."

Specifically, the attack targeted only Windows TBB users. Therefore, Roger Dingledine, Tor's creator and project leader, concluded it's "reasonable to conclude that the attacker now has a list of vulnerable [Windows] Tor users who visited those hidden services."

The NSA and SAIC enters the picture claims Baneki Privacy Labs, a tech activist group, and Cryptocloud, a secure networking company, because the JavaScript exploit forwarded users' data to a Web server with an IP address that was managed by SAIC for the NSA. Since the NSA"s mission is to monitor foreign communications and Marques's Freedom Hosting site seems to have been located in Ireland, it makes perfect sense for the NSA to have been involved.

For Tor users, the following versions of TBB, include the patched browser: 2.3.25-10, 2.4.15-alpha-1; 2.4.15-beta-1 and 3.0alpha2. TBB users can determine if they have an up-to-date browser by  clicking Help and selecting About Firefox. Whether after this episode anyone will trust Tor for "anonymous" Web-browsing is another question.

In the meantime, if you've been using the Windows version of TBB recently on hidden services servers, it's a pretty safe bet that your particular network address is now in the hands of the FBI. This, in turn, means that it's only a matter of time and effort for your real-world address to be revealed as well.

This is a classic privacy dilemma. On the one hand, child abusers may soon find themselves facing jail time. On the other hand, everyone who used hidden services for a legitimate purpose, say tracking human rights abuses in the Syria civil war, have also had their data collected. The only thing we can say for certain is that Tor's reputation, which had been as the Gold-standard of Internet anonymity, has been tarnished.

Related Stories:

Editorial standards