In an interesting development in the US Department of Justice is dropping all charges in a child porn case to keep TOR hack code secret. According to DOJ “disclosure is not an option”.
To catch the culprits of child pornography FBI took control of the server that was used for hosting porn material and deployed a TOR exploit to ascertain the IP addresses of its users. The use of TOR allows users to obscure and anonymoise their identities on the internet and connect to the dark web. With the exploit created by the FBI they were easily able to identify the end users. Experts believe the Network Investigative Technique as the DOJ calls it was basically a malware.
Now lets see how the NIT worked and gathered the information on TOR network.
The website suspected of hosting contraband child porn was known as Playpen, and operated as a darknet website only reachable through TOR. Hidden services on the darknet by default, attempt to hide the locations of both servers and the computers being used to visit the site using a series of intermediary nodes such that visitors location cannot be determined at the website. In an ongoing investigation The FBI learned, through one of its foreign partner, that a website dedicated to the distribution of child sexual abuse materials was determined to be located within the United States jurisdiction. While the FBI was able to locate the server, and bring the site under its control, it was still unable to determine the physical location of individuals who were accessing and posting child pornography on the site.
The FBI using a court authorization to hack the circumvention method was successful in determining the IP address of the website users. It operated the website for 13 days under its control and managed to obtain valuable information of its users using NIT. As Susan Hennessey and Nicholas Weaver have discussed in detail how NIT was operated by the FBI it will be worth sharing a brief description of the exploit and its basic components.
The Network Investigative Technique (NIT consists of a number of components typical of a malware.
1. A “generator” which runs on the hidden service.
2. An “exploit” which, when transmitted from the hidden service to the visitor’s computer, enables running the FBI’s code on the visitor’s system.
3. The “payload” which the exploit fetches, runs on the visitor’s system, and conducts the actual search, transmitting the information discovered to an FBI server.
4. A “logging server”, a system run by the FBI that records the information transmitted by the payload.
The primary role of the generator is to generate a unique and random ID number associate the ID with a logged-in user of the site, and then transmit the exploit, the ID, and the payload to the user’s computer.
The exploit takes control over the Tor browser used by the visitor, control it uses to load and execute the payload. Knowledge of how the exploit works is the most sensitive part of an NIT public disclosure not only risks losing the opportunity to use the technique against other offenders but would also permit criminals or authoritarian governments to use it for illicit purposes until a patch is developed and deployed. This is the component the government refuses to disclose in the instant cases.
The payload is the program which searches and gathers information such as computer name, user name, mac address and than transmit it alongwith the unique ID over an unencrypted channel on the internet exposing victims computer public IP address from which he can be tracked back.
The logging service, running on a separate computer, receives the NIT response. The important component in this activity is packet capturing and storing it in a pcap file which records all network traffic transmitted over the unencrypted channel.
In the current case 137 defendants are facing serious charges over data obtained primarily from NIT and seizure of computers. Interestingly from a defense point of view defendants are asserting that the code involved in the NIT are material to their defense which needs to be shared with them for a fair trial and raise following important questions which are befitting for cyber crime trials in Pakistan as well.
1. Defendants should be given an opportunity to perform a detailed evaluation of the functionality of the expolit in this case NIT, to determine what it searched for in the victims computer, how the search was conducted and what data was seized, and the chain of custody.
2. Critical question is how the key ID was generated and whether every computer was given a unqiue ID. To analyze this from a defendants point of view he would need the source code to ascertain that process and cross match it with the logging activity.
3. The pcap file transmitted over an unencrypted channel was manipulated by any third party.
4. Allowing defense to examine the complete source code including the exploit may result in exposing sensitive classified information to a vast array of actors that can be detrimental to national security operations.