FBI used drive-by downloads to track child abuse image suspects hidden on Tor

Filed Under: Featured, Law & order, Privacy

US courts are forcing the FBI to justify drive-by downloads of spyware onto the computers of people visiting child porn sites hidden on Tor.

tor-170x170Tor, a free, open-source program, bestows online anonymity via a circuit of multilayered, encrypted connections routed through a worldwide volunteer network of servers.

It can be used to conceal the the network location of both users and services so that neither knows where the other is.

Tor is popular with anyone who wants to remain unseen and unnoticed - from terrorists and buyers or sellers of drugs to political activists and journalists who fear for their safety.

The FBI has in the past blamed Tor for stymying child abuse investigations.

In fact, the US's efforts to break Tor were revealed by Edward Snowden's NSA leaks, which showed that the government has vigorously tried to unmask Tor users.

But at least in this case, Tor didn't manage to stymy the FBI at all.

The agency not only cracked an unsecured forum for child abuse images hidden on Tor; they then took over three child porn sites and boobytrapped them with drive-by spyware downloads.

The operation began with an investigation in the Netherlands in August 2011, where national police looking to crack down on the crime of child abuse imagery wrote a web crawler that prowled the Deep Web, siphoning off every Tor address it came across.

They methodically checked out all the hidden addresses the crawler pulled in, determining which were sites devoted to child-abuse images.

If the sites had been hosted on the World Wide Web then the story would end there - the FBI could have identified the sites' owners and locations quite easily. On the Dark Web those details are tucked away under the anonymising routing layers of the Tor network.

Fortunately one of the sites, going by the stomach-churning moniker "Pedoboard", had a good old fashioned security problem - an administrator account with no password.

That open door allowed the FBI in to poke around until they found enough clues about the real location of the site to swoop on its owner.

FBI agents in November 2012 arrested Aaron McGrath, whom they identified as the administrator of three websites that advertised and distributed child abuse images.

McGrath was running sites out of the server farm where he worked in Nebraska, along with one server at his home.

Rather than shut the sites down the government booby-trapped them with malware and continued to operate them for three weeks.

Over the course of the investigation, the FBI identified 25 Tor users of child-abuse images sites, from states all over the US.

Now, 14 of the suspects are headed toward trial in Omaha, Nebraska, where courts are mulling whether or not the government's behaviour followed the rules of search warrants.

Lawyers are arguing for the evidence to be suppressed, given that the FBI concealed its use of the "network investigative technique", as the agency calls the spyware, or NIT, beyond the allowed 30-day blackout period during which the search warrant allowed the bureau to operate in secret without notifying its targets about the search.

In fact, some defendants didn't learn about the spyware until a year after it was downloaded—a stark contrast to normal search warrants, in which subjects are normally informed "virtually immediately," defense lawyer Joseph Gross Jr. told Wired, making this a case of "an egregious violation" of Fourth Amendment prohibitions against unreasonable search, he said.

According to Wired's Kevin Poulsen, this isn't the first time the FBI has snagged suspects using spyware.

One example: in 2007, the FBI was searching for a teen who had made bomb threats against a Washington high school.

The agency targeted the teen's MySpace profile with a spyware program that collected enough information to make any cyber crook drool, including the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL.

After it gathered all that, it settled into silent pen register mode, lurking on the computer and monitoring its internet use, including the IP address of every computer it connected to over a period of 60 days.

Chris Soghoian, principal technologist for the American Civil Liberties Union's (ACLU's) Speech, Privacy and Technology Project, told Wired that it's hard to argue with the use of drive-by downloads in a child porn sting, in which there are no innocents involved.

After all, merely looking at child pornography is a crime, he pointed out, which makes it hard to imagine an innocent having any reason to visit a forum that traffics in such images.

The real worry comes with how the FBI might use the technique more broadly, he said:

“You could easily imagine them using this same technology on everyone who visits a jihadi forum, for example. And there are lots of legitimate reasons for someone to visit a jihadi forum: research, journalism, lawyers defending a case. ACLU attorneys read Inspire Magazine, not because we are particularly interested in the material, but we need to cite stuff in briefs.”

In the current case of the child abuse image suspects, the court so far has not been sympathetic to the arguments that the government acted in bad faith, out of line with search warrant limitations.

US Magistrate Judge Thomas Thalken last week rejected the defense's motion to suppress evidence, including the implication that the government acted in bad faith.

He wrote:

“The affidavits and warrants were not prepared by some rogue federal agent, but with the assistance of legal counsel at various levels of the Department of Justice.”

The matter now goes to consideration by US District Judge Joseph Bataillon for a final ruling.

I find this to be a moral and civil rights swampland.

The FBI used Tor as a launchpad for what has to be considered malware: software that's downloaded silently without the consent of the target.

Do the means justify the ends, if the ends are catching child abusers?

Beyond that, this case represents yet another abuse of the anonymising network, which strives to shield people, be they up to good or not, from surveillance and detection.

Until recently, Tor addresses—those so-called hidden services that end in .onion—have been thought to be untraceable.

Well, that may not be the case.

Carnegie-Mellon University researchers had actually planned to give a talk at next week's Black Hat USA 2014 security conference about how it's possible to break Tor anonymity using a bargain basement kit that cost less than $3,000 (£1,780).

The talk was cancelled after the university's lawyers freaked out, but Tor developers last week confirmed that somebody or somebodies has in fact assaulted the anonymising network and may have unmasked the people who run or visit hidden sites.

In this case though the FBI didn't need to find an architectural flaw in Tor, just the lowest hanging security fruit you can grab: lack of a password for an administrative account.


, , , ,

You might like

15 Responses to FBI used drive-by downloads to track child abuse image suspects hidden on Tor

  1. Ted · 44 days ago

    More power to the FBI on this one. As an X-Catholic who changed denominations just because of the petafile issue, I think the FBI needs to sink hole the Vatican and all the priests computer too. I am 110% for the FBI to drop malware on these sites! Keep it up guys!!!!

  2. ricead · 44 days ago

    Well done FBI. Is it wrong to drop code onto a criminal site to find who is using it. Absolutely not.

  3. Robert Scroggins · 44 days ago

    Okay, what if this situation involved a plot to blow up the new World Trade Center or something else? That might change things--eh? Now, both situations involve detecting/apprehending people who break the law!

    Why let lawbreakers off the hook on some technicality?

    Regards,

  4. RichardD · 44 days ago

    Whilst it's difficult to argue with the results in this instance, I think this subject deserves more than a knee-jerk "well done for catching these scumbags" reaction.

    The defence's argument is that, by exceeding the terms of the search warrant, the investigators have broken the law.

    Once you say that it's acceptable to break the law in order to catch people committing some types of crime, it's only a matter of time before it becomes acceptable to break the law to catch people committing *any* crime. You've already said it's acceptable; the only argument is over which types of crime qualify.

    It's like the old joke about the man trying to pay a woman to sleep with him:

    M: Would you sleep with me for $1000000?
    W: Yes.
    M: What about $10?
    W: No! What do you think I am?
    M: We've already established what you are; now we're just haggling over price!

  5. dave · 44 days ago

    I bet the users were surfing the web with the administrator account instead of the guest account (and/or the password for the administrator account was one you could find in the dictionary), or they were not using a firewall with outbound protection to block everything except ports used by tor

  6. Ted · 44 days ago

    @dave

    I think the FBI would be using for this situation a zero day with elevated privileges. They are not screwing around with simple known malware.....Their stuff is custom, "fresh", and deadly for an instant Pwn.

  7. chcurtis · 43 days ago

    It seems that their warrant allowed them to track people for 30 days. This is similar to getting a warrant for a wiretap, that runs for a set period of time.
    The civil liberties and legal question is whether information garnered after that allowed period id over - during a period when the authorities were garnering information illegally - can then be used in a court of law.
    In the case of wiretaps, they can't. It's called "forbidden fruit" and although investigators routinely use that information as the basis of further investigation, the "forbidden fruit" itself will be thrown out of court.

    I see three solutions here.
    1- stop collecting information when the warrant runs out.
    2- get an extension to the warrant.
    3- inform the suspect that he is being surveilled.

    I suppose there is a fourth, but it is unacceptable in a free society:
    4- let the police ignore due process and the law, after all, they're going after bad guys.

    Note that #3 - informing the subject - might well stop the behavior. It may not result in a conviction, but isn't stopping the behavior the point?

  8. Andrew · 43 days ago

    If the FBI is doing this to keep children safe then there is no problem, but if it is being done just for the sake of spying then they are no better than the NSA

    • Laurence Marks · 41 days ago

      That's the old "end justifies the means" argument. In general, ethicists reject it because the justification is judgmental.

  9. This is a moral quagmire. Although I think all pedophiles should be dropped kicked into a nest of fire ants. This pushes the limits of infringement of constitutional rights. This also pushes us to ask the question, "Where does the stopping point begin?" It is easy to justify the next investigation, but I fear this will truly lead to the monitoring of and labeling of innocent individuals that are within their rights.

  10. Clive Varejes · 43 days ago

    Go for it FBI.
    There is simply no excuse for child pornography. Those pedophiles involved deserved to be locked up and exposed. They are a blight on the world.
    And, yes I know all the hyped up BS regarding personal rights and etc.
    However in certain cases like child pornography, children's rights far outweigh those of this type of scum.
    Of course there will always be abuses but FBI WELL DONE. AMAZING.
    However the FBI will of course be critized by those desperate for their 15 minutes of fame.

  11. Sam · 43 days ago

    This looks like another case of old laws being applied to new tech and failing. The search warrant laws were designed for the search of a building. If that provides clue to evidence in another building you get another warrant. In the tech age you just can't work like that. The warrant law needs to be changed to enable the kind of chained searches that are an effective way of getting evidence from wherever the chain take you.

    Come on legislators - stop your political nonsense and start passing law for the tech age.

  12. Randy · 43 days ago

    I'm 100 percent behind the FBI on this one. No expense should be spared and no court should interfere with putting these animals behind bars for life.

  13. noreally · 43 days ago

    "Over the course of the investigation, the FBI identified 25 Tor users of child-abuse images sites, from states all over the US."
    Out of 3 hidden services with at least 1000 members each?

    So impressive.

  14. Anonymous · 36 days ago

    What happens when an administration starts going after people that do not hold their political beliefs, especially when a set of beliefs threatens their power base? Harassment of people in the US for political activity, such as True The Vote, is becoming so common that it isn't reported in the news media. Such actions force the people to self censor, otherwise suffer the wrath of tyranny for exercising their rights in a so called free society. We haven't been a free society for a long time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.