How Hacking Team Created Spyware that Allowed the FBI To Monitor Tor Browser

https://firstlook.org/theintercept/2015/07/16/hackingteam-attacked-tor-browser/

Version 0 of 1.

In July of 2012, FBI contractor Pradeep Lal contacted the customer support department of the Italian company Hacking Team, a maker of spyware for law enforcement and intelligence agencies worldwide. Lal needed help; he had used Hacking Team software to break into and monitor an investigative target’s computer, but the monitoring wasn’t working as well as Lal expected. It reported what addresses his target visited in normal web browsers, but not when his target used Tor Browser, software designed to mask sensitive web surfing.

Lal described his problem succinctly, complaining on Hacking Team’s customer website that the company’s “URL collector does not collect web traffic on TOR browser,” according to a large trove of emails and other documents recently obtained by one or more computer hackers. He then outlined the steps someone might take to reproduce the problem he encountered with Hacking Team spyware:

download TOR browser bundle. Surf web through TOR browser. Infect the target with an agent with www collector enabled. WWW traffic is not collect when target surfs through TOR browser.

Hacking Team’s support staff responded the next day, writing, “From our understanding the tbb [Tor Browser Bundle] is just a customized Firefox, we will look at it for future releases.“ Less than two weeks later they told Lal that his requested feature was in the works: “Dear Client, next RCS [Remote Control System] release (8.2.0) will capture URL from the TOR browser. Thank you.” (An April 2013 email laments Lal’s departure from the FBI.)

Hacking Team, at the FBI’s request, had just added the ability to monitor ostensibly anonymous Tor Browser traffic from a target infected with Hacking Team malware. The Tor Browser monitoring capability did not represent a breach of the Tor network, which bounces web traffic around the world to hide its destination. It’s impossible for any security software, including Tor Browser, to continue to protect someone after their computer has been hacked. But the incident serves as a reminder of the government’s strong interest in bypassing the protections Tor offers — and of how vulnerable computer users can be even when using proven and secure privacy systems.

Tor is, by all accounts, such a system. Tor is not just a network of computers, it’s also the open-source software that runs that network, helping people access the internet anonymously. When you use Tor Browser, you no longer visit websites directly but instead through a network of Tor nodes. This prevents the websites you visit from knowing your real IP address, information that can be used to pinpoint your location and identity. With Tor, all a website knows is that you’re some anonymous Tor user. Even someone monitoring your network traffic — having cracked your wifi, for example — will have no idea what sites you’re visiting.

(Disclosure: The Tor Project, which helps develop Tor and Tor Browser, has received money from the Freedom of the Press Foundation, where I sit on the board. It has also received money from the Omidyar Foundation, co-founded by Pierre Omidyar, who funds The Intercept‘s parent company First Look Media.)

Tor Browser was able to, for a time, thwart Hacking Team’s flagship product, Remote Control System, which normally allows an operator to, among other forms of surveillance, spy on all of the network traffic leaving a hacked computer and report back to its client a list of web addresses the target was visiting. Such web snooping didn’t initially work on Tor Browser. All RCS could see was encrypted traffic going into the Tor network — basically useless information. Spying on Tor traffic would take more effort.

Hacking Team described how it solved the problem in a PowerPoint presentation, bragging that, “Our solution is the only way to intercept TOR traffic at the moment.”

When a user opens Tor Browser, their computer starts the Tor program in the background, and in the foreground it opens up a modified version of Firefox that’s configured to force all its traffic to go through the Tor program. The solution was to modify Tor Browser on a hacked computer to force all of its traffic to go through an outside server that the attacker controls, rather than the one provided by the Tor program. When the hacked user loads a website in Tor Browser, the malware is then able to spy on the traffic before it gets handed off to the Tor network to be anonymized. Last week the Tor Project published their own brief analysis of this capability.

But Hacking Team had no capability against the Tor network itself; it could only spy on people if their computer was already infected by Hacking Team spyware. This was made clear in a series of customer service communications (1, 2, 3, 4, 5, 6) with the FBI’s John Solano starting in September 2014, two years after the Tor monitoring feature was added to Hacking Team software. Solano wanted to find out the real IP address of a target shielded by the Tor network, but he had not yet hacked his target.

“We will need to send him an email with a document or pdf attachement [sic] to hopefully install the scout,” Solano later wrote, after some back and forth with Hacking Team representatives.

It’s not clear from reading the support ticket if Solano ever successfully hacked his target with Hacking Team’s malware. What is clear is that, as of late 2014, the FBI was struggling to figure out how to deanonymize a Tor user.

In another Hacking Team customer support encounter, a government was trying to use the Tor network rather than crack it. Last month, a user called “devilangel”, who works for the South Korean Army, contacted Hacking Team trying to troubleshoot problems logging into the support website from Tor Browser. The support website requires clients to log in with not only a username and password but also with an encryption certificate. This certificate must be installed in a web browser, and devilangel was having trouble doing that in Tor Browser. “We are using certificates for secure communication using Support Portal,” devilangel wrote. “With recent firefox, you know, Tor Browser(v4.5.x) seems not to support PKCS#12(*.p12),” a file format used to bundle encryption certificates.

It’s not clear exactly why the South Korean Army wanted to use Tor Browser to interact with Hacking Team. But it is clear that Tor provides the same level of security and anonymity to military users as it does to anyone else. Tor is used by a diverse range of people: Activists, journalists, military, law enforcement, businesses executives, and ordinary people trying not to get tracked, as well as criminals of all stripes. This diversity allows any actor — government users like the South Korea military, activists, or illicit users — to remain anonymous.

On behalf of devilangel, Hacking Team’s support staff began troubleshooting, and discovered that both the stable version of Tor Browser, as well as the experimental beta version, contained a bug that prevented users from installing encryption certificates.

“We suggest to use a different way for your connections to HT Support Portal, if you still need to hide your IP address: VPNs, public proxies, VPS via VNC/RDP, browser add-ons like Anonimox…”, the support staff suggested to the South Korean Army.