In July of 2012, FBI contractor Pradeep Lal contacted the customer support department of the Italian company Hacking Team, a maker of spyware for law enforcement and intelligence agencies worldwide. Lal needed help; he had used Hacking Team software to break into and monitor an investigative target’s computer, but the monitoring wasn’t working as well as Lal expected. It reported what addresses his target visited in normal web browsers, but not when his target used Tor Browser, software designed to mask sensitive web surfing.
Lal described his problem succinctly, complaining on Hacking Team’s customer website that the company’s “URL collector does not collect web traffic on TOR browser,” according to a large trove of emails and other documents recently obtained by one or more computer hackers. He then outlined the steps someone might take to reproduce the problem he encountered with Hacking Team spyware:
download TOR browser bundle. Surf web through TOR browser. Infect the target with an agent with www collector enabled. WWW traffic is not collect when target surfs through TOR browser.
Hacking Team’s support staff responded the next day, writing, “From our understanding the tbb [Tor Browser Bundle] is just a customized Firefox, we will look at it for future releases.“ Less than two weeks later they told Lal that his requested feature was in the works: “Dear Client, next RCS [Remote Control System] release (8.2.0) will capture URL from the TOR browser. Thank you.” (An April 2013 email laments Lal’s departure from the FBI.)
Hacking Team, at the FBI’s request, had just added the ability to monitor ostensibly anonymous Tor Browser traffic from a target infected with Hacking Team malware. The Tor Browser monitoring capability did not represent a breach of the Tor network, which bounces web traffic around the world to hide its destination. It’s impossible for any security software, including Tor Browser, to continue to protect someone after their computer has been hacked. But the incident serves as a reminder of the government’s strong interest in bypassing the protections Tor offers — and of how vulnerable computer users can be even when using proven and secure privacy systems.
Tor is, by all accounts, such a system. Tor is not just a network of computers, it’s also the open-source software that runs that network, helping people access the internet anonymously. When you use Tor Browser, you no longer visit websites directly but instead through a network of Tor nodes. This prevents the websites you visit from knowing your real IP address, information that can be used to pinpoint your location and identity. With Tor, all a website knows is that you’re some anonymous Tor user. Even someone monitoring your network traffic — having cracked your wifi, for example — will have no idea what sites you’re visiting.
(Disclosure: The Tor Project, which helps develop Tor and Tor Browser, has received money from the Freedom of the Press Foundation, where I sit on the board. It has also received money from the Omidyar Foundation, co-founded by Pierre Omidyar, who funds The Intercept‘s parent company First Look Media.)
Tor Browser was able to, for a time, thwart Hacking Team’s flagship product, Remote Control System, which normally allows an operator to, among other forms of surveillance, spy on all of the network traffic leaving a hacked computer and report back to its client a list of web addresses the target was visiting. Such web snooping didn’t initially work on Tor Browser. All RCS could see was encrypted traffic going into the Tor network — basically useless information. Spying on Tor traffic would take more effort.
Hacking Team described how it solved the problem in a PowerPoint presentation, bragging that, “Our solution is the only way to intercept TOR traffic at the moment.”
When a user opens Tor Browser, their computer starts the Tor program in the background, and in the foreground it opens up a modified version of Firefox that’s configured to force all its traffic to go through the Tor program. The solution was to modify Tor Browser on a hacked computer to force all of its traffic to go through an outside server that the attacker controls, rather than the one provided by the Tor program. When the hacked user loads a website in Tor Browser, the malware is then able to spy on the traffic before it gets handed off to the Tor network to be anonymized. Last week the Tor Project published their own brief analysis of this capability.
But Hacking Team had no capability against the Tor network itself; it could only spy on people if their computer was already infected by Hacking Team spyware. This was made clear in a series of customer service communications (1, 2, 3, 4, 5, 6) with the FBI’s John Solano starting in September 2014, two years after the Tor monitoring feature was added to Hacking Team software. Solano wanted to find out the real IP address of a target shielded by the Tor network, but he had not yet hacked his target.
“We will need to send him an email with a document or pdf attachement [sic] to hopefully install the scout,” Solano later wrote, after some back and forth with Hacking Team representatives.
It’s not clear from reading the support ticket if Solano ever successfully hacked his target with Hacking Team’s malware. What is clear is that, as of late 2014, the FBI was struggling to figure out how to deanonymize a Tor user.
In another Hacking Team customer support encounter, a government was trying to use the Tor network rather than crack it. Last month, a user called “devilangel”, who works for the South Korean Army, contacted Hacking Team trying to troubleshoot problems logging into the support website from Tor Browser. The support website requires clients to log in with not only a username and password but also with an encryption certificate. This certificate must be installed in a web browser, and devilangel was having trouble doing that in Tor Browser. “We are using certificates for secure communication using Support Portal,” devilangel wrote. “With recent firefox, you know, Tor Browser(v4.5.x) seems not to support PKCS#12(*.p12),” a file format used to bundle encryption certificates.
It’s not clear exactly why the South Korean Army wanted to use Tor Browser to interact with Hacking Team. But it is clear that Tor provides the same level of security and anonymity to military users as it does to anyone else. Tor is used by a diverse range of people: Activists, journalists, military, law enforcement, businesses executives, and ordinary people trying not to get tracked, as well as criminals of all stripes. This diversity allows any actor — government users like the South Korea military, activists, or illicit users — to remain anonymous.
On behalf of devilangel, Hacking Team’s support staff began troubleshooting, and discovered that both the stable version of Tor Browser, as well as the experimental beta version, contained a bug that prevented users from installing encryption certificates.
“We suggest to use a different way for your connections to HT Support Portal, if you still need to hide your IP address: VPNs, public proxies, VPS via VNC/RDP, browser add-ons like Anonimox…”, the support staff suggested to the South Korean Army.
They made a better mouse trap, that’s all it really is. Now it’s time to find a better way of circumventing the system, a little add on to tor or to servers that detects this Spyware and reroutes traffic.
The Republic of Korea Army (ROKA, not SKA) was not a client of Hacking Team. It was the National Intelligence Service using a false military unit as a front, and they most likely wanted HT’s software so they could spy on opposition parties and government critics in South Korea. One NIS spy turned up dead last week with a suicide note saying “No, we would totally never do that,” but nobody’s buying it.
Tor is a good browser. At least with it you can hide your IP so that no one can be able to trace where you’re. The fact that the spyware was created makes it a possibility for monitoring crimes that go untraced over the Internet. However, I think that this wouldn’t be necessary if there were no security concerns.
Just a note for people searching for Anonimox – the correct spelling (at least in the copy I have running in Firefox) is spelt ANONyMOX – note the ‘Y’ .
FBI should just mind their damn business and worry about what really is going on in this world.
touche my friend, darn right…
As a TOR user this is a bit scary, but at the same time glad to see that they don’t have any easy way to deanonymize.
If the FBI is following the law, I imagine they had warrants for targeting these individuals (like child porn related activity)? Is this a correct assumption?
Yes I believe that FBI is required to get a warrant if they want to hack your computer in order to spy on your Tor activity, if you’re an American. Although they don’t seem to believe they need warrants against individuals they’re hacking if they don’t know who they are. See the Freedom Hosting attack, where FBI attempted to hack all Tor Browser users they could who visited a set of hidden services. In this case, they had no way to know who they were hacking until after they hacked them. They also had no way to target a specific user to hack. Instead they had to resort to hacking everyone they saw, because there isn’t any way to tell different Tor Browser users apart.
Tor servers/routers must be quite easy to locate and identify since the IP routing path is modified in comparison to regular browsing. So just IP monitoring let’s FBI/NSA know that somebody is hiding something. So they can hack computer and and collect what they need.
So what is the advantage of TOR? What is needed is complete stealth browsing so nobody knows you are browsing and not only where you browsing .
TOR’s like encrypted randomized system of proxy servers but the last server in the chain which connect to the destination site could be completely open to inspection. And moreover, The guy that owns the last TOR server in the routing path chain is on the hook anyways from spying agencies since they know his computer connected to prohibited/ or under surveillance site.
If TOR generated logically consistent fake traffic so it would not raise suspicions, it would be at least something, if this is even possible.
Anybody could clarify that.
Tor is good, or even very good, for certain adversaries. Tor is probably even very good for certain *state* adversaries. Tor is probably NOT good if your state adversary is the US or the UK (or probably any of the 9 eyes) — or if you’re someone they have an interest in (even if you don’t know it). That doesn’t mean Tor doesn’t have a *place* in such speech — merely that you shouldn’t expect it to be your (sole) source of protection. There are a lot of uses for Tor that one might require or desire anonymity for that doesn’t reach that level of scrutiny. Chances are all of your traffic is already being filtered thru already, so arguing that an endpoint might be monitored (and it might be, indeed) isn’t really an effective argument if any connection on the net can or will be monitored anyway. Then you’re talking about more of a MESH network, or an intranet, not the Internet.
PS: It’s Tor, not TOR.
Tor servers are indexed and monitored. That information is public (and it being so is logical, not a conspiracy). That information is also helpful to weed out bad nodes and keep an eye on the integrity of the network (and indeed it has been used to help stop certain types of attacks on the network).
Finally, I wanted to point out, if your system is backdoored and monitored, then it doesn’t matter how you try to access ANY network from that machine. It is what some of us would call a ‘game over’ situation (and moreso if you’ve got a persistent bootkit or rootkit). Remember, the exit node or exit of any traffic stream is not the weakest point: the entry into any network is, and that is usually the machine you use (even absent the ‘net).
IP monitoring let’s FBI/NSA know that somebody is using Tor, not that somebody is hiding something. People use Tor for a variety of reasons, like browsing the web without advertising tracking them, or logging into Facebook with better transport security, etc.
It’s not so simple for NSA/FBI to just hack your computer. In this article, Solano discussed needing to email his target a malicious document to hack him, but what if they didn’t have an email address for him, or if he didn’t open the document?
This is an issue with services on the internet not using encryption, not really an issue with Tor. Tor does a great job at anonymizing the connection, but if you’re logging into a website that only supports http and not https, whether or not you’re using Tor your username and password will get spied on. BTW, I used to run an exit node myself for about a year. I never got any letters from anyone about it. I never felt like I was “on the hook” from spy agencies.
Thanks for the great article.
I must admit my head hurts after reading it and the “Powerpoint Presentation”.
So much to get my head around and I have the feeling of only playing catch up all the time.
July 2012 so where and what are they up to now.
You guys must have brains the size of planets, to keep up to date.
Great work.
Great article Micah. Nice to see Tor seems to work….reinforces the message, once your system has been compromised its game over.
I’m probably going to upgrade my router one of these days and when I do I will look for a router that can do dual purpose as a Tor router. Kind of the way some routers allow for guest connections.
If more routers had a Tor option, it might help make the tor network better.
OpenWRT packages tor, so any router that is supported and reasonably modern/fast can act as a relay. You will want at least 10Mbit/s upstream in order to help the Tor network because otherwise the amount of bandwidth used to tell all the Tor clients about your relay is larger than the amount you can contribute. There have been various discussion threads on the tor mailing lists (https://lists.torproject.org) about the merits of a Tor Router like device, several failed attempts to produce a well-designed one, and a number of design challenges that remain in order to provide the same (or be compatible with) protections that Tor Browser Bundle provides. For example, a ‘torifying’ guest mode router might want to help users install Tor Browser Bundle, rather than quietly forwarding their traffic over Tor. And don’t forget to keep your router and relay installation up-to-date. :)
Seconding OpenWRT.