The one-two punch to privacy and security this week may push home the facts that even when using services that purportedly protect privacy, we are not as anonymous as we may like to think we are. Researchers at Exodus Intelligence, a company that sells zero-day vulnerabilities, found a critical hole in Tails,
short for “The Amnesic Incognito Live System,” a privacy-orientated operating system that was pushed into the limelight after being recommended by Edward Snowden. This announcement came on the heels of a similar issue that can de-anonymize Tor users.
Yesterday, in talking about the zero-day vulnerability in Tails, Exodus Intelligence wrote:
We publicized the fact that we’ve discovered these issues for a very simple reason: no user should put full trust into any particular security solution. By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible. Even when the issues we’ve found are fixed by the Tails team, the community should keep in mind that there are most certainly other flaws still present and likely known to others.
The Tails Debian Linux-based operating system runs independently from a computer's OS, protecting a person's privacy by using the Tor network. Tails can be installed on a DVD, USB, or SD card, so it can be used without leaving a trace; it "comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc."
On Monday, Exodus tweeted that it had found multiple zero-day vulnerabilities in Tails. The developers at Tails were not given a heads up about the critical flaws, leaving many people concerned that users might be at risk. The Tails team said, “Some people report such vulnerabilities, and then they get fixed: This is the power of free and open source software. Others don't disclose them, but run lucrative businesses by weaponizing and selling them instead.”
Although Exodus sells zero-days, CEO Aaron Portnoy said he would provide the information to Tails so the flaws could be fixed. It’s not quite clear if the vulnerability broker’s decision was for the greater good or due to backlash from the security community.
The zero-day is in the Invisible Internet Project, or I2P, networking component that comes bundled with Tails to encrypt web traffic and hide a user’s real IP address. The 30,000 I2P users who previously felt anonymous could be unmasked, their true IP address revealed, by visiting a booby-trapped website.
Exodus explained, “The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work.” Although Tails 1.1 was released this week and closed numerous security holes, Exodus included a short video showing how to exploit I2P, even on Tails 1.1, and reveal a Tails user’s real IP address in less than two minutes. The company plans to reveal technical details of the vulnerability after the flaws in I2P are patched and pushed through to Tails.
Screenshot of Exodus Intelligence using zero-day vulnerability to de-anonymize Tails users
“People shouldn’t trust something wholeheartedly just because Snowden says,” Exodus told Reuters. “Generally, we assume the things we can find, others can find.”
Earlier this week, the Black Hat security conference canceled the talk “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget” that was due to be given by Carnegie-Mellon University CERT researchers. The presenters intended to explain how, with a budget of $3000, hundreds of thousands of Tor users could be de-anonymized. A Black Hat spokeswoman told Reuters the talk was pulled at the request of Carnegie-Mellon University lawyers. The Tor Project did not request the talk attacking Tor to be canceled.