Silver Bullets and Fairy Tails

Introduction

This week we made mention on Twitter of a zero-day vulnerability we’ve unearthed that affects the popular Tails operating system. As the Tails website states:

Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:
use the Internet anonymously and circumvent censorship;
all connections to the Internet are forced to go through the Tor network;
leave no trace on the computer you are using unless you ask it explicitly;
use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.”

This software was largely popularized due to the fact that it was used by whistleblower Edward Snowden. Since then, the OS has garnered much attention and use by a wide range of those seeking anonymity on the Internet.

We publicized the fact that we’ve discovered these issues for a very simple reason: no user should put full trust into any particular security solution. By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible. Even when the issues we’ve found are fixed by the Tails team, the community should keep in mind that there are most certainly other flaws still present and likely known to others.

Our customers use our information for both offensive and defensive purposes to better protect themselves and others. Providing a wide variety of exploit software we help penetration testers effectively test network security and incident response teams. One high profile example occurred last year when Facebook used a zero-day vulnerability to test their teams response to a zero-day attack. The information we provide is also leveraged in defensive purposes providing companies with well documented research for use in IDS and AV signatures for previously unknown threats. We at Exodus are able to do what many software projects cannot, perform security code audits and find exploitable vulnerabilities releasing them to the public.

The Vulnerable Component

The vulnerability we will be disclosing is specific to I2P. I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage. The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work. I2P is preconfigured so that all .i2p TLD sites are routed through the I2P network. At a high level I2P traffic is message based similar to IP packets. All communication is encrypted end to end with a total of four layers of encryption. I2P routers (end points) act as cryptographic identifiers, similar to a pair of public keys. I2P is a packet switched network, instead of circuit switched like Tor. This means transparent load balancing of packets across multiple peers. I2P is fully distributed with no centralized resources. There is no distinct separation of servers to nodes, this architecture helps eliminate single points of failure.

Demonstration

To lend credence to our claims we have created a video that demonstrates de-anonymizing a Tails user:

Timeline

0:00:00,000 –> 0:00:10,400: Demonstrating IP on listening server, Turning on listening server
0:00:19,000 –> 0:00:25,400: Tails user visiting website icanhazip.com which shows the anonymized IP address
0:00:36,000 –> 0:00:49,400: Showing that we’re indeed using the latest Tails build 1.1
0:00:50,000 –> 0:01:03,400: I2P address being resolved, proof of concept malicious payload being delivered
0:01:30,000 –> 0:01:40,400: Listening server retrieves the Tails user’s de-anonymized IP address (Austin RoadRunner ISP)

Note on Disclosure

Disclosure of vulnerabilities takes many forms, particularly their shape is adapted to the landscape that the platform is used upon. In the past at Exodus Intelligence, we’ve felt that significant vulnerabilities have been disregarded and have not had the requisite exposure. Through appropriate airing of the issue, we feel that users of such security platforms may come to understand the risks in base-level trust. Even further we hope to break the mold of unconditional trust in a platform. Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security. It’s not enough to have faith upon security, rather to have an understanding of it. If the public thinks Exodus is one of a few entities finding bugs in software, they are grossly misinformed. As is the case with all vulnerabilities we report to vendors, we do not ask for any remuneration. All flaws that we give to vendors are given free of charge. All accusations of extortion perpetuated by those unfamiliar with our business model are completely unfounded. As of publication of this blog post the Tails team and the I2P team have both received all the relevant details and exploit code they require to remediate the vulnerabilities we’ve discovered.

Recently a high profile talk on de-anonymization Tor users was pulled from Blackhat due to legal issues. Their talk outlined with a budget of $3000 with some powerful servers and multiple gigabit links they were able to de-anonymize hundreds of thousands of users in ‘a couple of months’. Exodus decided to pick up where this talk left off by letting the community know that there are many other vectors for de-anonymization. The vulnerability we have found is able to perform remote code execution with a specially crafted payload. This payload can be customized to unmask a user and show the public IP address in which the user connected from within ‘a couple of seconds’.

Stay Tuned

Part two of this blog post will present a technical discussion of the vulnerability. This will be posted once we have confirmed the vulnerabilities in I2P are patched and have been incorporated into Tails.

22 thoughts on “Silver Bullets and Fairy Tails

  1. Pingback: Exodus Intelligence may be doing best service to privacy aftet Snowden | Rufo's Work and Personal Blog
  2. Pingback: .:[ d4 n3wS ]:. » Exodus trouve une faille dans Tails via I2P
  3. Pingback: Firm says vulnerability in Tails contained in I2P component – Health and Fitness
  4. Pingback: Zero-day intelligence company issues false alarm regarding Tails GNU/Linux vulnerability - Technology Org
  5. Pingback: The tail of the zero day | LeakSource
  6. Pingback: Firm says vulnerability in Tails contained in I2P component | Protect Your PC | Tips, Advice, and support. Protect Your PC | Tips, Advice, and support.
  7. When TAILS is used on a PC, is there something that indicates that it has been there ? In essence, if I want to find out if someone is using TAILS, do I search for file “X” or registry entry ” whatever” ? Also, could TAILS be used or run on an Android Phone ( or other Smart phone) or even used to interrogate Smartphones ( question posed for the purpose of if X then how how do I counter the action).

  8. Pingback: Snowdens Lieblings-Linux mit löchriger Anonymisierung |silicon.de
  9. Pingback: Researchers find serious flaw in I2P, an anonymizing layer used in “amnesic” OS Tails — Tech News and Analysis
  10. Pingback: Researchers find serious flaw in I2P, an anonymizing layer used in “amnesic” OS Tails — Tech News and Analysis | Hihid News
  11. Pingback: Veille #Cybersécurité du 24/07/2014 | Le blog de la cyber-sécurité
  12. So if I understand this right, you use XSS to booby trap an .i2p webpage, to then phone home to a nc server.
    would this also work if the .i2p page was also running through TOR or some other SOCKS proxy (i.e. something that would push i2p’s UDP traffic via a third party)?

  13. Pingback: Are Tor and Tails Safe? | SxiSpiGrl
  14. Pingback: Tails live OS affected by critical zero-day vulnerabilities
  15. Pingback: Researchers Demonstrate Zero-Day Vulnerabilities in Tails Operating System | TechnoXperts
  16. Pingback: Descubren un agujero de privacidad en la distro TAILS
  17. Pingback: I2P and Tor Have Been Compromised | Cybersurgery
  18. Pingback: Digital Privacy Happenings (July 16 and 22 week) | Tomas Touceda
  19. Pingback: Installing Tails Live Linux | devnull
  20. Pingback: Tails 1.1.1 ute | Kryptering och IT-säkerhet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s