The Tor Project claimed it has learned more about an attack on its Deep Web hidden service subsystem that was detected...
in July of 2014. The Tor Project said that the Carnegie Mellon researchers responsible for the attempt to hack Tor's network were hired by the FBI and paid "at least $1 million."
According to a Tor Project blog post by Roger Dingledine, Tor Project director, the FBI paid researchers to attack hidden services users in an effort to find data that would allow the FBI to then accuse people of crimes. Dingledine said it is unlikely that a valid warrant could have been obtained for the attack because "it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once."
In July 2014, the Tor Project announced that it had found evidence that attackers were attempting to deanonymize users, and linked the servers used in the attacks to the techniques described in a cancelled talk at Black Hat 2014 by Carnegie Mellon researchers Alexander Volynkin and Michael McCord, which claimed to demonstrate such a way to hack Tor.
Carnegie Mellon refused to comment to SearchSecurity on the subject of Tor, but Ed Desautels, senior writer/editor for the public relations department of Carnegie Mellon University's Software Engineering Institute, did not exactly deny the allegations.
"I'd like to see the substantiation for their claim," Desautels told Wired. "I'm not aware of any payment."
Andrew Lewman, vice president of data development for Norse Corp., said it is understandable that the FBI would target the Tor network in an effort to find criminals.
"While there are some positive use cases for Tor, the world's law enforcement agencies are rightfully concerned about the vast criminal activity happening out of reach of their tools and technologies," Lewman said. "Of course we expect law enforcement to try to find criminals and exploit flaws and weaknesses in the software and designs."
However, Dingledine said in the blog post that this could be a case of law enforcement believing it can "circumvent the rules of evidence" by hiring universities to perform police work.
"If academia uses 'research' as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute," Dingledine wrote. "Legitimate privacy researchers study many online systems, including social networks -- if this kind of FBI attack by university proxy is accepted, no one will have meaningful Fourth Amendment protections online and everyone is at risk."
Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, said the questions over invasion of privacy are made much more difficult because the Deep Web can be used for both legitimate and illegal activity.
"No one doing anything illegal should have an expectation of privacy unless the law specifically protects that speech -- for instance while talking to your lawyer," Hansen said. "However, there is much about Tor that is simply used to prevent people from tracking you, which is not at all illegal and may actually be critical to your own well-being. For instance, people who are regularly cyber-stalked by abusive exes, or political dissidents, as an example, have not only an expectation of privacy but a deep need for it."
Dingledine also said that the attacks may have crossed an ethical line.
"Such action is a violation of our trust and basic guidelines for ethical research," Dingledine wrote. "We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users."
Hansen said that while it is still unclear if Carnegie Mellon was behind the attacks or whether the FBI paid the university, there could be legal implications for anyone found responsible.
"It's quite possibly a case of hacking, and as such they would be just as culpable under existing hacking laws as any other hacker," Hansen said. "There may be some carve-out for national security that the government could use to shield [Carnegie Mellon], as the government did with the case the EFF brought against them regarding the AT&T and NSA partnership. Carnegie Mellon may have fully believed they were doing something that the government needed and saw it as a civic duty."
Dr. Chase Cunningham, head of threat research and development for Armor Defense Inc., said that answering questions over who was responsible and whether the FBI paid for attempts to hack Tor can have major ramifications on how the actions are viewed.
"The main difference is really a philosophical one; did [Carnegie Mellon] do it solely because they got paid and essentially had a bug contract out on Tor? Or did they do it because they saw a chance to break something that everyone said was basically unbreakable," Cunningham said. "From what I know, I'm sure the money didn't hurt, but there have always been lots of groups, schools, and organizations wanting to break Tor simply to say 'we did it.' The folks at Carnegie Mellon just happened to have the right talent, timing and techniques to actually do it. The money was really just universal grease; it eased the need for tools personnel, and access to make the break happen."
Learn why one security researcher believes the security industry is broken.
Learn more about how the Dark Web is enabling the malware industry.