FBI claims that Tor stymied child abuse investigation

Child alone, courtesy of ShutterstockIn at least one case, the US police’s hunt for online child abuse images has been stymied by Tor, a Freedom of Information Act (FOI) request has revealed.

The FOI request, which was originally for all Justice Department records mentioning the Silk Road marketplace (a site that National Public Radio has referred to as the “Amazon.com of illegal drugs”), was made by MuckRock’s Jason Smathers.

According to the FOI documents, a citizen reported stumbling on a cache of child abuse images while browsing anonymous Tor sites, viewable with specialized, hard-to-come-by tools and the .onion domain, while he was searching for the deep-web location of the Silk Road:

FOI document excerpt

He visited the Tor directory at the following site: [expunged]. At this site, he noticed a link to 'adult' websites and clicked on it. He noticed a link on the next page for 'TSCHAN' which he recognized to be a hacking affiliated group. When he clicked on this link, he saw pictures he described as child pornography. He said it looked like child pornography because he could tell the subjects were very young with some in diapers. All were still images, no videos, and he said most showed the children posing for the pictures.

Investigators were unable to determine the origin of the pornography’s host, as they described in a Detroit field office 2011 FBI Complaint/Assessment Form that was part of the FOI documents:

FOI document excerpt 2

Because everyone (all Internet traffic) connected to the TOR network is anonymous, there is not currently a way to trace the origin of the website. As such no other investigative leads exist.

Tor, a free, open-source program, bestows online anonymity via a circuit of multilayered, encrypted connections routed through a worldwide volunteer network of servers in order to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis.

In spite of the investigators’ despair, however, it’s quite possible to bust Tor communities.

One recent example is “The Farmer’s Market,” an online narcotics store that hid its operations with Tor. The Farmer’s Market was brought down in April.

Tor projectGranted, Tor was incidental to that bust.

As the indictment laid out, authorities were aware of the Farmer’s Market’s use of Hushmail – a service based in Canada that offers PGP-encrypted e-mail, file storage, vanity domain service, and instant messaging – before the operation was moved to Tor.

And as Naked Security reader HushFail commented at the time, Hushmail only protects users until law enforcement whips out a badge.

Hushmail has in the past turned over cleartext copies of private email messages associated with multiple accounts at the request of law enforcement agencies under a mutual legal assistance treaty between Canada and the US, such as in the case of US v. Tyler Stumbo.

Another factor in the Farmer’s Market bust was payment processing via means that included PayPal – to an agent with the US Drug Enforcement Administration, no less.

Clearly, some law enforcement agencies find ways to track down their prey, even if the suspects are using Tor.

But as Tor Project development director Karen Reilly told Ars Technica on Tuesday, there are non-Tor-specific means of getting through Tor, beyond tracking suspects through Hushmail or PayPal.

Tor Project members regularly meet with law enforcement to explain how Tor works and to direct them to these vulnerabilities, Reilly told Ars in an email exchange:

Saying that you have no leads is ridiculous. … Hidden services are just like a street address. You can't break an address. You can break the doors or windows of the house at that address. An attack on a .onion and a .com are the same. The usual PHP vulnerabilities to SQL injection and the like are applicable.

AnonymousAnd as Ars pointed out, such are the vulnerabilities Anonymous used to take down Tor sites in its Operation Darknet anti-child-abuse-websites effort.

That Anonymous operation succeeded in taking down 40 child abuse sites, including Lolita City, in October 2011.

Anonymous managed to crack Tor to not only bring down the abuse sites, but also to publish account details of 1,589 users from the site’s database.

Obviously, Tor anonymity is not foolproof.

Tor itself warns about one vulnerability on its site:

Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.

That means that a potential eavesdropper on an end user’s network may be able to analyze the patterns of data being returned and may be able to make a reasonable hypothesis about the source of the communication.

Such a technique wouldn’t help the FBI unless they already knew enough about their suspects to plant an eavesdropper on their network, of course.

But in sum, it seems that there have been multiple unmaskings of Tor users, whether it’s by the means employed by the multinational task force that cracked the Farmer’s Market or the vulnerabilities exploited by Anonymous.

If they can do it, it’s hard to see why the FBI can’t.

Child alone image, courtesy of Shutterstock.