Security & Privacy + Security News

Feds Admit to Hacking Tor

Posted on September 25th, 2013 by

Man cutting an onion

Remember that shocking incident about a month ago, where the Feds were suspected of hacking Tor and cutting off a huge chunk of the Tor “onion?” When reports about it surfaced, some people were like “Hey, this came from a government contractor’s IP,” and then we were like “Yeah, we can’t really be sure of that.” Well, here’s a wrinkle I totally didn’t see coming…

With all the difficulties in conclusively identifying the origin, we weren’t certain that this came from the government. There was only one way to know for sure, and it wouldn’t be easy to find out. So the Feds made it easy and admitted that it was their doing; they took credit for hacking Tor.

Oh. Okay, I can’t really argue with that evidence.

The FBI told an Irish court that it was the one creating the code, which they designed to surreptitiously capture an affected user’s MAC address and IP address.

According to Gizmodo:

The Tor hack was supposed to target associates of the Freedom Hosting’s operator Eric Eoin Marques who’s currently being detained in Dublin, Ireland for his involvement in a massive child pornography operation. Freedom Hosting has indeed been under suspicion of allowing kiddie porn on its servers for some time now, but the investigation took a turn for the technical when the Feds exploited a loophole in the version of Firefox that forms the basis for the Tor Browser Bundle.

Regardless of anyone’s opinions of the rightness or appropriateness of these actions, it’s interesting in that it brings an end to a mystery that’s been floating around since at least 2007. And now that the code is out in the open, the Feds will have to go back to the drawing board if they try to do something like this again.

More than that, it brings up an interesting question about “perfect” security. This is something that has been coming up a lot lately: if security can be easily broken by an adversary who is sufficiently determined, is it worthwhile at all?

The TouchID hack is one good example, and many people are discussing whether encryption is still useful, given that the NSA has been tampering with encryption standards by inserting a backdoor that makes it trivial for them to break in. It’s also been shown that Tor users can be identified by a sufficiently determined adversary, given a few months’ worth of traffic.

Generally speaking, I would rather have imperfect security and be aware of its potential flaws so that I can take other steps to mitigate potential problems. For instance, Intego routinely recommends using layered defenses to improve your overall security. Tor getting hacked serves as an important reminder that nothing is 100 percent effective on its own, and it’s important that we realize this in order to effectively identify and mitigate risks.