The FBI recently made headlines (again) for using secret network investigation techniques to track down a suspect who was using TOR to anonymously access an ISIS website. While an applaudable cause and effort, this may raise concerns for a number of other groups and individuals. TOR is often used by whistleblowers, political activists, journalists and privacy conscious users to prevent their online activities from being tracked.
What is TOR?
TOR (The Onion Router) is a free and open-source software that provides users with anonymity and privacy while they are online. It works by routing Internet traffic through a network of relays, which are run by volunteers around the world. Once the traffic is encrypted and routed through this network, it is supposed to be very difficult to track the source of the traffic, ensuring the user's identity is kept private.
What Happened?
The FBI managed to obtain the real IP address of an alleged visitor to an ISIS website, accessed via TOR, on the dark web. However, Department of Justice lawyers won't say how the agency accessed the visitor’s IP address, and are blocking discussion of the issue from entering the public docket.
How Could the FBI Track Someone That is Using TOR?
There are a number of options available to a well resourced and determined organisation.
1. Macros or Spyware
That’s right, those same pesky macros used by hackers and various threat groups can also be used against cyber-enabled criminals. By creating a honeypot macro file, then uploading that file somewhere that the suspect will download and view it (either with a post or by compromising the service the TOR user is looking up), a TOR user's true location can be unmasked. Law Enforcement Agencies and private cyber defenders practising Active Defence techniques can load a number of file types with macros that connect to the internet to “phone home”. Macro-enabled files can come with their own TCP wrapper. This means that the macro won’t use a configured TOR proxy or VPN to access the internet. The macro will go directly to the network card and bypass an anonymising service completely, exposing the TOR user's real IP address. Macros can even be coded to report on all the local WiFi signals being picked up which can allow agencies like the FBI to geolocate a user anywhere in the world, down to a couple of metres. The same techniques can be used with executable spyware but macros are easier to hide.
2. TOR network traffic analysis
Several methods of statistical analysis have been discovered by researchers to find the TOR entry-node and thereby, the TOR end-user. However all of these methods require significant resources and often involve compromising network equipment or setting up a significant number of TOR nodes to provide the data required for analysis.
3. 0-day exploit of TOR service
The FBI or an associated agency may have developed an exploit to a vulnerability in TOR which is not publicly known. Such an exploit could continue to be used until the vulnerability was publicly discovered and disclosed, or the prosecution is compelled to provide evidence in a case where the exploit was used against a suspect. In the past, the DOJ has opted to have criminal cases dismissed rather than give up their techniques for de-anonymising a TOR user.
4. Good ol’ fashioned investigation techniques
Often, the best vulnerability to exploit is sitting between the keyboard and the backrest. Whether it’s through reuse of a username or the questions asked in a forum, traditional investigative techniques combined with OSINT data have proven successful time and again. Darknet market owners have been brought down, not through vulnerabilities in their market, but through the specific questions they’ve asked in developer forums which match code development on their darknet web application.
Does this mean TOR is no longer safe to use as an anonymizer?
That depends on what you’re doing and who might want to track you doing it. If you’re using TOR to stop your ISP tracking you or to view some geo-restricted content, you have nothing to worry about. However, if you're looking to hide your online activities from a well resourced and determined nation-state actor, you should consider taking additional precautions.