Lawfare readers by now should be very familiar with the concept of the FBI's Network Investigatory Technique or NIT, a small piece of malicious code that exploits the target’s computer to generate a message which deanonymizes the target. So far we've seen exploitive NITs used by the FBI two major child pornography cases: Freedom Hosting and PlayPen. In the Freedom Hosting case, the NIT got captured as the FBI deployed it too broadly, while the PlayPen NIT remains confidential. Just the other day, we saw a NIT used in another child porn case. This may be the last time we see a NIT used in these cases.
The NIT itself consists of three major components: the exploit which takes over the Tor browser (a customized copy of FireFox), the payload which conducts the search needed to deanonymize the target, and server support infrastructure which not only hosts the NIT but modifies each copy sent to include a unique identifier.
Within a few hours many people analyzed the exploit. It was a new Firefox 0-day exploit but the payload matched the Freedom Hosting NIT, with only one significant difference—the GiftBox NIT reported back to a French IP address.
It is highly likely that either the FBI or the FBI's contractor worked directly with whomever deployed the GiftBox NIT. Although the NIT payload became public due to the Freedom Hosting NIT, the necessary supporting server infrastructure remains confidential as far as I know. The NIT payload is unusable without the corresponding server infrastructure or a reverse-engineered copy of the server infrastructure.
The exposure of the GiftBox NIT effectively “burned” the associated 0-day exploit, as Mozilla deployed a patch within twelve hours, protecting not only future NIT targets but also the general public from those who might modify the exploit and use it to hack into other systems. This represents one of the major benefits of lawful hacking over "exceptional access". Hacking a target doesn't guarantee exposure of a 0-day but such hacks always runs a risk.
Reports suggest that developing or buying a new 0-day for Firefox like the one used here would probably cost on the order of $100,000, large enough to require real paperwork to purchase but small enough that, if the target is of high priority, it is acceptable to risk the asset.
The probable ties with the FBI’s NIT also suggest that it is likely that the 0-day used in the GiftBox NIT is the same 0-day used in the PlayPen NIT. Although there is not yet any direct evidence one way or the other, we will know for sure shortly as both prosecutors and defense attorneys will note these suspicions to the courts. If it is the FBI’s exploit, this moots the “disclose or dismiss” conflict in the PlayPen cases.
So What Now?
I have a strong civil liberties streak, but I cannot defend Tor hidden services. The Tor project claims that hidden services, servers that only exist in the Tor network and act to hide the server’s IP, can protect activists and whistleblowers. This is false. Truly hidden Tor services (unlike Facebook which, although reachable as a “hidden service” does not actually attempt to hide the server's IP address) are only useful for content that is unhostable anywhere on the general Internet.
If I want to host contact that annoys the Chinese I can use Amazon or even my home connection. If I want to host content that annoys the United States I simply place my server in Russia. It is only content which no country will tolerate and not even a “bulletproof” hosting provider like CyberBunker will host that benefits from hidden services.
Fortunately, I believe that there is a way around the problem of hidden services. It is an open secret in the Tor community is that Tor is simply not designed to withstand global adversaries: someone who can see all the traffic as it enters and leaves the Tor network is assumed to be capable of deanonymizing the traffic. This also implies that Tor is not capable of protecting against an adversary who generates the traffic which enters Tor and sees where the traffic leaves Tor.
So if someone runs a large number of Tor relays, this person can plausibly deanonymize hidden service IPs by directing traffic to the hidden service and seeing if it flows through their Tor relays. When the hidden service selects one of the attacker’s nodes as a guard, the server is directly identifiable. Or if the service uses a private guard node, this technique can still identify that guard node in preparation for a pen-register order.
Likewise, when that attacker controls the hidden service they can also deanonymize visitors to the hidden service when the visitors choose one of the attacker’s nodes as a guard node. This attack can be made easier by constructing the server’s page to add some additional signaling information. I hope to have some undergrads prove that this is a practical, not just theoretical, attack.
Yet such a monitoring program would not harm normal Tor users. If the attacker running the Tor nodes does not run any exit nodes (systems that route Tor traffic back onto the Internet) the attacker is not capable of deanonymizing anybody but hidden services and visitors of services they control. So in addition to any legal protections (it probably requires a very interesting Title III wiretap order) this would offer technical protections against innocent users. If anything, in a delicious bit of irony, building this infrastructure would improve service for honest Tor users by creating more Tor relays.
I not only hope that this happens but also hope (probably in vain) that the Tor project turns a blind eye to such activity if noticed. Tor provides significant uses for those legitimately seeking anonymity or censorship resistance. But hidden services represent a plague not only on the world at large but Tor itself. “Tor is the tool of drug dealers and pedophiles” is powerful rhetoric that limits Tor’s more general appeal.
In short, NITs against Tor hidden service criminals may not work in the future, but I think there is a path going forward, one that involves law enforcement directly monitoring the Tor network to perform targeted deanonymization.