Every hacker that knows what he is doing knows and most likely uses a tool that has been developed over a decade ago. The Metasploit tool that some people call an open source Swiss Army knife for hacks is easily accessible to virtually anybody and contains exploits to numerous security weaknesses and is constantly updated by the community to include the latest exploits. The tool is used not only by hackers though. People who’s job is to stop hackers – security experts, also use this tool to test the products resistance to cyber attacks.
What may be surprising though is the fact that even FBI themselves have started using the tool to successfully identify suspects on the Tor network for the first time ever. FBI exploited the vulnerability in Flash code from abandoned Metasploit project that is called “Decloacking Engine”.
The target of an FBI attack, “Operation Torpedo”, were 3 illegal child porn sites. It seems like the operator of one of the websites does not try to deny his activity as the administrator of the Dark Net website. Instead the current debate is whether the evidences obtained during the investigation can be used in court. Defense lawyer Joseph Gross states that they are getting programmers that are going to investigate the process FBI used to identify the defendant.
Tor network is used not only by criminals though, and thus the successful FBI’s attempt at identifying the criminal raises worries for the Tor community since it was unclear if they built the code for the exploit from nothing or they used an improved open source code. It was also not clear if other organizations like NSA got involved in the investigation as well. Moreover, it may have exposed people that have no criminal intentions to their information leak because Tor network is commonly used by the human rights activists, whistleblowers, journalists, etc.
With the latest reveal that Metasploit toll was used to carry out the investigation it becomes clear that FBI used an easily accessible tool to infiltrate the Tor network in order to collect evidences against the websites under investigation.
The security weakness in Tor is a Flash exploit that was known among Tor community since 2006 and therefore everybody in the community was warned not to install Flash. Flash may be exploited because Adobe’s Flash plug-in can connect directly to other IP addresses and bypassing even Tor network. It causes your IP address to be visible and exposes your real identity.
The creator of Metasploit, Moore, noted that he has developed a decloaking tool to raise awareness of the Flash vulnerability but when most of the Tor network users passed the decloaking test he removed it. Later FBI used warrants to obtain the code that the base of was used by FBI to hack Tor network.
The investigation showed that FBI corrupted the websites to infect their visitors with a malware that could access visitor’s files, browser history and even camera. Noticeably, it is the first time that is known when FBI massively performed a cyber attack against people that are not a target of the investigation.
It is also possible that FBI and other organizations like NSA may become more interested in Tor network as its popularity is rising among regular users and in the amount of the websites accessible only from the Tor network itself.
Even though Tor is a home to many organizations that fight for human rights, it may be a headache for the officials since many criminals uses the network as well. And even if the officials are able to obtain a log a Tor node it is close to being useless since contains only IP addresses of other Tor nodes making the tracking almost impossible.
Now Moore is questioned by the Gross about the working details of his code. However, Moore is not worried of giving any information to the lawyer since in his opinion the information about the decloaking tool will not help the defendants case. He also added that FBI must have improved the tool by a lot since it should affect only the ones using a very old Tor browser or people who installed the Flash plugin after all the warnings about its vulnerabilities.
This is not the first big scale attack on Tor network. In 2013 Tor network was most likely also targeted by the FBI but there are no strong evidences. During that attack a new Firefox vulnerability was used to obtain user IP, MAC and infect the computer with malware.
Considering the rapid growth of the techniques under FBI and other agencies’ disposal the Tor network may become less secure than all of its users like it for. There is always an additional layer of protection encouraged. VPN can provide just that. Tor over VPN server that is offered by NordVPN not only provides all the features of a Tor network, it also enhances it with VPN security to take the best of these services for those who really worry about their security online.