Encryption service Tor was designed to keep its users anonymous, but early last year, it was compromised, handing reams of information about people who used the software to view the "dark web" to an unknown party. Now the non-profit Tor Project that develops and maintains the anonymity software thinks it has its culprit. The group says that Tor was cracked by the FBI, with the help of researchers from Carnegie Mellon University, who were allegedly paid $1 million for their work.
The Tor Project suspected Carnegie Mellon last year
In evidence, the Tor Project points to the attack that it uncovered last year. The attack reportedly began in February, after its instigators created more than a hundred new relays on the Tor network in late January, and ran until July 4th, when the team discovered the vulnerability. The attackers were able to use a combination of two methods to gather information on Tor's users, but at the time, the Tor Project wasn't sure exactly how detailed that information was. It was more convinced of who was behind the attack — it suspected Carnegie Mellon's Computer Emergency Response Team (CERT).
Carnegie Mellon researchers were due at last year's Black Hat hacking conference to give that detailed a new way of breaking in to Tor using just $3,000 of hardware. As tracked by security researcher Ed Felton last year, proposals for the presentation were collated and submitted between February and April, with researchers presenting some of the research in June, pinpointing the vulnerability and indicating that the attack had been carried out in real life. But after the ongoing attack was discovered in early July, the talk was abruptly canceled, and the Tor Project says the researchers stopped answering their emails.
Court documents used by the government reference a university-based research group
The Tor Project's accusations were spurred by documents used the government's case against Silk Road 2.0 staff member Brian Richard "DoctorClu" Farrell, reviewed yesterday by Motherboard. The documents directly state that Farrell's involvement with the second iteration of the infamous drug marketplace was identified thanks to information obtained by "a university-based research institute." In the search warrant used to search Farrell's home in January 2015, Special Agent Michael Larson pointed to an FBI source of information that gave "reliable IP addresses for TOR and hidden services such as [Silk Road 2.0]" between January 2014 and July 2014 — lining up with the dates of the suspected CERT attack.
It's believed that the information pulled during the five months the attack was running was used in Operation Onymous, a joint mission against dark web marketplaces and sellers, carried out by Europol, Eurojust, the FBI, the US Department of Homeland Security, and other governmental agencies. The operation was responsible for the arrest of 17 sellers and site administrators, the shuttering of around 410 hidden services only accessible through Tor, and the seizure of $1 million in Bitcoin.
The Tor Project says the action was a "violation of trust."
The Tor Project questioned the legality and ethical basis for the attack, and the collusion between a research institute and the FBI. "There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board," the group wrote in a statement. "We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once."
The NSA has tried to crack Tor before, but the software's creators say that academic research agencies should not exist to help law enforcement agencies invade technically legal networks. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," the Tor Project wrote. "If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk."
Speaking to Wired, Carnegie Mellon said the Tor Project had no evidence for its claims. "I'd like to see the substantiation for their claim," a PR representative for the University's Software Engineering Institute said. "I'm not aware of any payment." Roger Dingledine, director of the Tor Project, said the $1 million figure was quoted by "friends in the security community."