Operation Tornado – FBI Used Metasploit to unmask Tor users

Operation Tornado is the first time that FBI deployed a tracking code broadly against every visitor to a website, instead of targeting a particular user.

The Wired portal has published a detailed post to describe how the FBI used a collection of freely available exploits and hacking tool to de-anonymize users in the Tor network.

Wired revealed that the law enforcement relied on the popular Metasploit framework to first de-anonymize operators of child porn websites in the Tor network. The operation is coded Operation Tornado and the FBI relied upon an abandoned project of Metaploit dubbed the “Decloaking Engine” to de-anonymized users in the 2012.

“Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of  suspects hiding behind the Tor anonymity network.” states the report published by Wired.

The Operation Tornado was revealed when the FBI seized three child porn sites on Tor based in Nebraska. The FBI, authorized by a special search warrant crafted by Justice Department lawyers in Washington, DC, delivered the tracking Flash code do de-anonymous visitors.  The operation allowed the FBI to identify at least 25 users in the US and many others in foreign countries.

“It’s the first time—that we know of—that the FBI deployed such code broadly against every visitor to a website, instead of targeting a particular suspect.”

The Decloaking Engine is a tool designed by HD Moore, the father of the Metaploit platform, to de-anonymize Tor users:

In 2006, Moore launched the “Metasploit Decloaking Engine,” a proof-of-concept that compiled five tricks for breaking through anonymization systems. If your Tor install was buttoned down, the site would fail to identify you. But if you’d made a mistake, your IP would appear on the screen, proving you weren’t as anonymous as you thought. “That was the whole point of Decloak,” says Moore, who is chief research officer at Austin-based Rapid7. “I had been aware of these techniques for years, but they weren’t widely known to others.”

The source code for the Decloaking Engine is public and open, Wired speculated that the FBI used it during its investigation on subjects that used the Tor anonymizing network to masquerade their identities online.

One of the tricks reported by Wired is a small Flash application used to de-anonymize users exploiting the capability of Adobe’s Flash plug-in to initiate a direct connection over the Internet, bypassing Tor and revealing the IP address of the host.

The trick is known for a long time and for this reason member at the Tor Project cautions users not to install Flash.

“The decloaking demonstration eventually was rendered obsolete by a nearly idiot-proof version of the Tor client called the Tor Browser Bundle, which made security blunders more difficult. By 2011, Moore says virtually everyone visiting the Metasploit decloaking site was passing the anonymity test, so he retired the service. But when the bureau obtained its Operation Torpedo warrants the following year, it chose Moore’s Flash code as its “network investigative technique”—the FBI’s lingo for a court-approved spyware deployment.” states Wired.

It is likely that the FBI has improved its techniques since the Operation Tornado, the recent Operation Onymous conducted in a joint effort with other law enforcement agencies demonstrate the efficiency of the hacking capabilities developed by Bureau.

Pierluigi Paganini

(Security Affairs –  Operation Tornado, FBI)