In 2013, the FBI took down Freedom Hosting and with it, brought down a minimum of 23 child pornography sites. The seizure of child pornography (CP) servers was considered a win by law enforcement and many Tor users. However, recently unsealed documents reveal just how far the FBI stepped outside the law.
During the investigation, agents discovered a connection between an email service and many CP websites. The FBI was then given a warrant to hack 300 users of TorMail, the email service in mentioned.
TorMail was an encrypted mail platform that allowed users to send and receive emails over the Tor network. The FBI was allowed to hack TorMail users after discovering that both TorMail and the CP sites were hosted on the same server.
Documents explicitly clarified that only the 300 target accounts listed in the affidavit were to be hacked.
The ACLU fought to have the documents unsealed in September and the Department of Justice ultimately published them in redacted form. The released documents confirmed the suspicions and theories of many cybersecurity researchers and TorMail users alike.
“That is, while the warrant authorized hacking with a scalpel, the FBI delivered their malware to TorMail users with a grenade,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an email.
The suspicion that the FBI operated outside the scope of their warrant existed almost immediately. The “hack” was not discreet. As revealed in the affidavits, the type of “hacking” performed by the FBI was a network investigative technique (NIT). This malware, according to Greg Virgin, former NSA employee turned cyber security consultant, did not “crack” Tor encryption. It circumvented anonymity altogether.
Malware was only to be deployed once one of the “target” users entered their TorMail username and password, the affidavits explained. However, within a week of the arrest of the Freedom Hosting owner, TorMail users started reporting otherwise. Users were met with an error page before being able to access the TorMail log-in page.
Security researchers dissected the code and it wasn’t long before Mozilla made a statement. The code exploited a critical memory management vulnerability in Firefox, the company said. Tor, being based on Firefox, consequently suffered from the same vulnerability. The “Down for Maintenance” error page that presented itself to TorMail users ultimately exposed their identities.
Wired reported that the FBI’s malware looked up the victim’s MAC address and Windows hostname. The NIT then transmitted the identifying data to a server in Virginia. Data was sent via HTTP, outside of Tor, revealing the victim’s IP address.
Joseph Cox, a contributor to Vice’s Motherboard, spoke with a former TorMail user who confirmed the error page “appeared before you even logged in.”
The email Christopher Soghoian sent to Motherboard continued:
The warrant that the FBI returned to the court makes no mention of the fact that the FBI ended their operation early because they were discovered by the security community, nor does it acknowledge that the government delivered their malware to innocent TorMail users. This strongly suggests that the FBI kept the court in the dark about the extent to which they botched the TorMail operation.
“What remains unclear is if the court was ever told that the FBI had exceeded the scope of the warrant, or whether the FBI agents who hacked innocent users were ever punished,” he continued.
Motherboard reached out to the FBI for comment and heard back from Christopher Allen, a spokesperson for the FBI. “As a matter of practice the FBI narrowly tailors warrants, and we do not exceed the scope of those warrants,” he said.
(Special thanks to Joseph Cox for uploading and making all of the documents readily available.) The Freedom Hosting affidavit can be found here. TorMail affidavit here. And the ACLU’s motion to unseal the documents can be found here.