Over a Thousand Computers and Tor Users Targeted By FBI In An ‘Unprecedented’ Hacking Campaign
Two New York men in the summer of 2015 were accused of online child pornography crimes for allegedly visiting a site that was a Tor hidden service. The site apparently would safegaurd the identity of its users and server location. However, with the Federal Bureau of Investigation (FBI) using a hacking tool to ascertain the IP addresses of the individuals made this case stand out.
The case received some media attention, and scraps of information about other, related arrests started to increase as the year went on. However, the actual extent of the FBI’s bulk hacking campaign has come to light only now.
According to court documents studied by Motherboard and interviews with legal parties involved, the FBI hacked over a thousand computers to combat what it has called one of the largest child pornography sites on the dark web.
Principal technologist at the American Civil Liberties Union (ACLU), Christopher Soghoian told Motherboard in a phone interview, “This kind of operation is simply unprecedented.”
A new bulletin board site on the dark web was launched on which users could sign up and then upload whatever images they wanted in August 2014. The site’s main purpose was “the advertisement and distribution of child pornography,” according to court documents. In another case, documents would later confirm that the site was called “Playpen.”
Playpen had nearly 60,000 member accounts in just a month after launch. This number had swelled to almost 215,000 by the following year, this, with over 117,000 total posts, and an average of 11,000 unique visitors each week. According to FBI testimony, many of those posts had some of the most extreme child abuse imagery one could imagine, and others included advice on how sexual abusers could prevent detection online.
An FBI complaint described the site as “the largest remaining known child pornography hidden service in the world.”
According to a complaint filed against Peter Ferrell, one of the accused in New York, in February 2015, which was month before this peak, the computer server running Playpen was taken in custody by law enforcement from a web host in Lenoir, North Carolina. When Motherboard contacted data hosts in Lenoir, they refused to comment. One of them, CentriLogic, wrote “We have no comment on the matter referenced by you. Our obligations to customers and law enforcement preclude us from responding to your inquiry.”
Unlike previous dark web sites that may have been closed down by law enforcement, Playpen was not immediately shut down after it was seized. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. The FBI at this time deployed what is known as a network investigative technique (NIT), the agency’s term for a hacking tool.
According to the same complaint, “approximately 1300 true internet protocol (IP) addresses were identified during this time,” when Playpen was being run out of a server in Virginia, and the hacking tool were infecting targets.
The legal counsel for one of the accused believes that the number of concluding cases may even be slightly higher.
Colin Fieman, a federal public defender handling several of the related cases, told Motherboard in a phone interview, “Fifteen-hundred or so of these cases are going to end up getting filed out of the same, underlying investigation.” Fieman, who is representing Jay Michaud, a Vancouver teacher arrested in July 2015, said his evaluation comes from what “we’ve seen in terms of the discovery.”
“There will probably be an escalating stream of these [cases] in the next six months or so,” Fieman added. “There is going to be a lot in the pipeline.”
Fieman said that he has three cases pending in his defenders office. Charges have also been filed against defendants in Massachusetts, Connecticut, Illinois, Florida, New Jersey, New York, Utah, and Wisconsin, according to court documents.
Fieman refers to the use of this broad NIT in his court filings as an “extraordinary expansion of government surveillance and its use of illegal search methods on a massive scale.”
NITs have been used since at least 2002 and come in all kinds of different forms. Malware has been delivered to bomb threat suspects via phishing emails. To recognize users connecting with the Tor Browser Bundle, the FBI has also taken over hosting services and secretly exploited a known bug in Firefox.
“Operation Torpedo” was launched in 2011, which saw the agency place an NIT on the servers of three different hidden services hosting child pornography, which would then target anyone who happened to access them. Using a Flash application, the NIT would ping a user’s real IP address back to an FBI controlled server, rather than routing their traffic through the Tor network and guarding their identity.
In 2014, when WIRED reported on that operation, “over a dozen alleged users of Tor-based child porn sites” were headed for trial. The FBI allegedly collected IP addresses for at least 25 of the site’s US visitors within two weeks’ time.
However, the case of Playpen seems to be much, much broader in scope.
Soghoian, the ACLU technologist said, “We’re not talking about searching one or two computers. We’re talking about the government hacking thousands of computers, pursuant to a single warrant.”
The FBI’s broad NIT attacks had used already known and patched susceptibilities with earlier cases. Around the time of one of the FBI’s attacks, as the Tor Browser Bundle had no auto-update mechanism in August 2013, only those users who troubled or remembered to patch their systems were safe. Evidentially, some people forgot.
The same might be true of the Playpen NIT: months after the FBI had already obtained over a thousand IP addresses, automatic updates to the Tor Browser Bundle were introduced in August 2015.
“There is no public information revealing whether or not the FBI used a zero-day in this case, or an exploit that targeted a known flaw,” Soghoian said.
However, some signs about the Playpen NIT exist. The NIT is probably different to the one used in Operation Torpedo because that one is “no longer in use”, according to court filings. It’s not completely clear exactly how it was deployed as for how the Playpen NIT operates, but the warrant allowed for anyone who logged into the site to be hacked.
“Basically, if you visited the homepage, and started to sign up for a membership, or started to log in, the warrant authorised deployment of the NIT,” Fieman said. The NIT from here would send a target’s IP address, a unique identifier generated by the NIT, the operating system running on the computer and its architecture, information about whether the NIT had already been deployed to the same computer, the computer’s Host Name, operating system username, and the computer’s MAC address.
The true nature of NITs as powerful hacking tools is kept from judges when law enforcement ask for authorisation to deploy them say experts.
“Although the application for the NIT in this case isn’t public, applications for NITs in other cases are,” said Soghoian. “Time and time again, we have seen the Department of Justice is very vague in the application they’re filing. They don’t make it clear to judges what they’re actually seeking to do. They don’t talk about exploiting browser flaws, they don’t use the word ‘hack.’”
“And even if judges know what they’re authorizing, there remain serious questions about whether judges can lawfully approve hacking at such scale,” Soghoian added.
Magistrate Judge Theresa C. Buchanan in the Eastern District of Virginia, who signed the warrant used for the NIT, did not reply to queries related to her understanding of the warrant that would grant the power to hack anyone signed up for Playpen, or whether she took advice of the technical experts before signing it. Her office said not to expect a reply.
Fieman said that the warrant “effectively authorizes an unlimited number of searches, against unidentified targets, anywhere in the world.”
Giving warning regarding about what this scale of hacking may indicate for the future of policing, Soghoian said, “This is a scary new frontier of surveillance, and we should not be heading in this direction without public debate, and without Congress carefully evaluating whether these kind of techniques should be used by law enforcement.”
Many questions remain unanswered regarding this law enforcement hacking operation, such as how many computers were targeted outside of the United States, the exact wording used in the authorisation for the NIT, and the technical aspects of the NIT itself.
In a statement to Motherboard, UK’s National Crime Agency (NCA), who regularly gets intelligence from the FBI, said “The NCA does not routinely confirm or deny the receipt of specific intelligence for reasons of operational security. We work closely with international partners both in law enforcement and industry to share intelligence and work collaboratively to bring those involved in the sexual exploitation of children to account.” Europol, Europe’s law enforcement agency, did not reply to a request for comment.
Nevertheless, the FBI engaged in likely the largest law enforcement hacking campaign to date, in taking down one of the biggest dark web child pornography sites.