FBI used drive-by downloads to track child abuse image suspects hidden on Tor

tor

US courts are forcing the FBI to justify drive-by downloads of spyware onto the computers of people visiting child porn sites hidden on Tor.

tor-170x170Tor, a free, open-source program, bestows online anonymity via a circuit of multilayered, encrypted connections routed through a worldwide volunteer network of servers.

It can be used to conceal the the network location of both users and services so that neither knows where the other is.

Tor is popular with anyone who wants to remain unseen and unnoticed – from terrorists and buyers or sellers of drugs to political activists and journalists who fear for their safety.

The FBI has in the past blamed Tor for stymying child abuse investigations.

In fact, the US’s efforts to break Tor were revealed by Edward Snowden’s NSA leaks, which showed that the government has vigorously tried to unmask Tor users.

But at least in this case, Tor didn’t manage to stymy the FBI at all.

The agency not only cracked an unsecured forum for child abuse images hidden on Tor; they then took over three child porn sites and boobytrapped them with drive-by spyware downloads.

The operation began with an investigation in the Netherlands in August 2011, where national police looking to crack down on the crime of child abuse imagery wrote a web crawler that prowled the Deep Web, siphoning off every Tor address it came across.

They methodically checked out all the hidden addresses the crawler pulled in, determining which were sites devoted to child-abuse images.

If the sites had been hosted on the World Wide Web then the story would end there – the FBI could have identified the sites’ owners and locations quite easily. On the Dark Web those details are tucked away under the anonymising routing layers of the Tor network.

Fortunately one of the sites, going by the stomach-churning moniker “Pedoboard”, had a good old fashioned security problem – an administrator account with no password.

That open door allowed the FBI in to poke around until they found enough clues about the real location of the site to swoop on its owner.

FBI agents in November 2012 arrested Aaron McGrath, whom they identified as the administrator of three websites that advertised and distributed child abuse images.

McGrath was running sites out of the server farm where he worked in Nebraska, along with one server at his home.

Rather than shut the sites down the government booby-trapped them with malware and continued to operate them for three weeks.

Over the course of the investigation, the FBI identified 25 Tor users of child-abuse images sites, from states all over the US.

Now, 14 of the suspects are headed toward trial in Omaha, Nebraska, where courts are mulling whether or not the government’s behaviour followed the rules of search warrants.

Lawyers are arguing for the evidence to be suppressed, given that the FBI concealed its use of the “network investigative technique”, as the agency calls the spyware, or NIT, beyond the allowed 30-day blackout period during which the search warrant allowed the bureau to operate in secret without notifying its targets about the search.

In fact, some defendants didn’t learn about the spyware until a year after it was downloaded—a stark contrast to normal search warrants, in which subjects are normally informed “virtually immediately,” defense lawyer Joseph Gross Jr. told Wired, making this a case of “an egregious violation” of Fourth Amendment prohibitions against unreasonable search, he said.

According to Wired’s Kevin Poulsen, this isn’t the first time the FBI has snagged suspects using spyware.

One example: in 2007, the FBI was searching for a teen who had made bomb threats against a Washington high school.

The agency targeted the teen’s MySpace profile with a spyware program that collected enough information to make any cyber crook drool, including the computer’s IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer’s registered owner and registered company name; the current logged-in user name and the last-visited URL.

After it gathered all that, it settled into silent pen register mode, lurking on the computer and monitoring its internet use, including the IP address of every computer it connected to over a period of 60 days.

Chris Soghoian, principal technologist for the American Civil Liberties Union’s (ACLU’s) Speech, Privacy and Technology Project, told Wired that it’s hard to argue with the use of drive-by downloads in a child porn sting, in which there are no innocents involved.

After all, merely looking at child pornography is a crime, he pointed out, which makes it hard to imagine an innocent having any reason to visit a forum that traffics in such images.

The real worry comes with how the FBI might use the technique more broadly, he said:

“You could easily imagine them using this same technology on everyone who visits a jihadi forum, for example. And there are lots of legitimate reasons for someone to visit a jihadi forum: research, journalism, lawyers defending a case. ACLU attorneys read Inspire Magazine, not because we are particularly interested in the material, but we need to cite stuff in briefs.”

In the current case of the child abuse image suspects, the court so far has not been sympathetic to the arguments that the government acted in bad faith, out of line with search warrant limitations.

US Magistrate Judge Thomas Thalken last week rejected the defense’s motion to suppress evidence, including the implication that the government acted in bad faith.

He wrote:

“The affidavits and warrants were not prepared by some rogue federal agent, but with the assistance of legal counsel at various levels of the Department of Justice.”

The matter now goes to consideration by US District Judge Joseph Bataillon for a final ruling.

I find this to be a moral and civil rights swampland.

The FBI used Tor as a launchpad for what has to be considered malware: software that’s downloaded silently without the consent of the target.

Do the means justify the ends, if the ends are catching child abusers?

Beyond that, this case represents yet another abuse of the anonymising network, which strives to shield people, be they up to good or not, from surveillance and detection.

Until recently, Tor addresses—those so-called hidden services that end in .onion—have been thought to be untraceable.

Well, that may not be the case.

Carnegie-Mellon University researchers had actually planned to give a talk at next week’s Black Hat USA 2014 security conference about how it’s possible to break Tor anonymity using a bargain basement kit that cost less than $3,000 (£1,780).

The talk was cancelled after the university’s lawyers freaked out, but Tor developers last week confirmed that somebody or somebodies has in fact assaulted the anonymising network and may have unmasked the people who run or visit hidden sites.

In this case though the FBI didn’t need to find an architectural flaw in Tor, just the lowest hanging security fruit you can grab: lack of a password for an administrative account.