FBI Used Metasploit Hacking Tool in ‘Operation Torpedo’ to unmask pedophiles but in the process unmasked normal Tor users

You may have read a report doing round over internet that the Federal Bureau of Investigation (FBI) of United States used the  favourite application of white hat hackers (and even black hat ones) and security researchers called  Metasploit to unmask pedophiles lurking on the dark web.  FBI used Metasploit in “Operation Tornado” in 2012 to find evidence against the accused, Aaron McGrath, a Nebraska man who was held responsible for hosting the three pedophile websites.

McGrath illegal sites were hosted on onion url and could only be viewed  by using Tor or other anonymising browsers.  Tor anonymiser network is preferred by not only human rights workers, activists, journalists, and whistleblowers but also millions of normal web users who would like to remain anonymous and not have their traffic snooped upon by anybody. FBI conveniently seemed have forgotten this fact that Tor is used by many people who like anonymity as a matter of practice and were in no way connected to McGrath and his cronies. FBI obtained the permission of a federal magistrate to infect all visitors to those websites with malware which in turn exposed the IP addresses of normal Tor users.

According to Wired, this is the first recorded incident in which the FBI has targeted all visitors to a website instead of using code against a particular suspect. Operation Tornado turned out to a successful one for FBI with arrests of over 14 individuals.  FBI had used a proof-of-concept Metasploit Decloaking Engine which is made up of  five different tricks customers could use to break through anonymization systems.  Out the five, FBI used a 35-line Adobe Flash application to initiate a direct connection with users over the web, thereby bypassing Tor and revealing their true IP addresses.

It was able to arrest McGrath and his cronies for hosting illegal websites but in the process it also exposed hundreds of Tor user IPs which were in now way connected with illegal websites. Ethically exploiting a flash script to expose hundreds of Tor users who prefer anonymity, to pin few individuals seems unjustified.

After the Wired report, many users took strong objection to the FBI strong arm tactics of infecting hundreds of Tor users to hunt for few real criminals.  One of the sites which has many such comments is Schneier where many users commented against the FBI’s illegal snooping on Tor users though many supported FBI given that the purpose was to hunt down pedophiles.  Some of the select comments are reproduced below.

Tim • December 17, 2014 8:10 AM
The article mentions multiple times how Tor is important because it’s used by human rights workers, activists, journalists, and whistleblowers… but fails to mention that it’s also used by normal people who wish to not have their traffic snooped. Given that you’ve argued that privacy is not about hiding things (https://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html), it surprises me that you would share an article that seems to accept that privacy is only about hiding.

Bob S. • December 17, 2014 8:58 AM
What I got from the article is the government is doing warrantless, illegal to civilians, hacking and cracking of TOR to gather evidence for the enemy du jour which would cause anyone else to get sent to prison for a long time.

As an aside, who would have known cracking TOR was as easy as using an open source probe app? Wow, the credibility of TOR developers sure seems in question then. (Or, maybe not.)

Well, since the Intelligence Authorization Act Passed allowing NSA et all to “collect it all” by act of Congress, we are all suspected enemies of the state so I guess we should just sit around until they come get us for some as yet un-promulgated crime. (Or, not)

Daniel • December 17, 2014 1:06 PM
@ Tim, @Bob S.

I see both sides of this. The contrast the article sets up is between “pedophiles” on one hand and “human rights journalists” on the other hand. I agree with Tim that this is a false dichotomy and one that we all should be worried about; repeat an assumption long enough and people become conditioned to accepting it as true. However, I also agree with Bob S that the point of the article is about how the FBI exploits Tor and this too is worth people’s attention.



@jggimi

Yes, but that isn’t the real point of the article either. The real point is in the last paragraph. If one is a Tor user who needs Tor for high security purposes (regardless of whether those purposes are viewed as good or bad by society) the question then becomes whether or not one thinks he can win an arms race against the FBI or any other government security agency? Too many people get hung up on the whole “pedo” issue overlooking two critical facts: (1) if the FBI can do it any skilled organization can and (2) what they FBI can do to pedos they can do to anyone else they happen to dislike or want information from.

Gweihir • December 17, 2014 5:58 PM
This shows two things

1) TOR still works and is very hard to compromise.

2) The user can always break security by doing stupid things, often things the user has been warned explicitly not to do. (For the 2013 attack, that was browsing with an old version.)

All in all, not a surprise. What is also not a surprise is that the FBI resorts to things than in any working legal system are reserved for intelligence agencies and are criminal to use for LEO except when they have a specific warrant for specific targets. One of the characteristics of a totalitarian system is that the law is applied only against citizens, but has become irrelevant for law enforcement. Is is then used not as a tool of “justice” (which it basically never was, but it is a nice cover story), but as a weapon against the population.

Nick P • December 17, 2014 8:40 PM
@ HomerJ

That’s actually what I proposed. I had two different models. The centralized model meant you weren’t anonymous to the service provider (eg Anonymizer). They just used strong mechanisms to make you anonymous to everyone else. If a warrant is provided, they give over the data. Their own activities and systems are independently audited by mutually suspicious parties. Any accesses also generate audit logs that can be checked later on.

I also proposed a decentralized model with features akin to a discussion board or stackoverflow. The content is hosted on something akin to hidden services with an identifier. The police can suggest they be deanonymized. The users, a number of appointed people, or some other such social structure can all vote on whether to deanonymize the link. If they vote, the protocol will do so. Otherwise, it won’t. This is still pretty close to Tor, might even use most of its protocol, allows some lawful intercept, and reduces risk of censorship. It also discourages use of network for such content.

Honestly, I think the best thing would be for academics interested in anonymity schemes to put some effort into stuff like this. There’s going to be a constant battle between authorities and privacy lovers over anonymity technology. It will be much easier to swing courts toward privacy by default if we have a believable way to ID and/or eject crooks. It’s worth putting research into.

We can continue arguing whether what FBI did was right or wrong in exposing Tor users but FBI continued to use the information from this infection to crack Tor on many other  occasions. In 2013, the FBI launched a similar malware attack against Freedom Hosting, which maintains the servers for a number of well-known Tor websites.  In Freedom Hosting operation, FBI even succeeded in revealing visitors MAC addresses in addition to the IP addresses.

Another of FBI successful operations in recent times is Operation Onymous which helped it shut down Silk Road 2.0 and other illegal Tor websites like  Topix and Cloud 9 and arrest 17 people including  Blake Benthal, the owner and operator of Silk Road 2.0.

What is your opinion about FBI using wholesale malware injection process to find a few criminals, do comment and let us know.

Update: Flash script was used to decloak visitors, not an exploit, as pointed out by Metasploit Founder HD Moore

https://twitter.com/hdmoore/status/545636708591468544