14 DAY TRIAL // Exodus Intelligence made a video showing how the identity of a user of privacy-focused Tails (The Amnesic Incognito Live System) can be de-anonymized due to a vulnerability in a component used by the operating system.
Tails is a Debian Linux-based operating system which integrates tools that run the connection through the TOR network in order to keep the identity of the user secret.
Recently, Exodus, a vulnerability broker that sells the security flaws it finds, tweeted that the current version of Tails was still vulnerable to methods that could expose the identity of the user.
The broker now disclosed that the vulnerable component in the operating system is I2P, an anonymous overlay network designed to prevent surveillance and monitoring of the communication from third parties.
According to the blog post from Exodus, “the I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work.”
Despite the four-layer, end-to-end encryption provided by the component and the fact that communication was routed through the secure I2P tunnel, the researchers at Exodus managed to run their de-anonymization magic on a real Tails user, in less than two minutes.
The video shows that the researchers made the demonstration using Tails 1.1. An unsuspecting user visits a website, and provides an anonymous IP address. After resolving the I2P address and delivering the proof-of-concept (POC) code, the vulnerability researchers manage to retrieve the real address of the Tails user.
The Exodus post also says that both the Tails and the I2P team have been provided with the necessary information about the bug along with the exploit code so that they can come up with a fix for the problem.
As far as de-anonymizing TOR users is concerned, a talk on the subject scheduled for this year’s Black Hat USA security conference was cancelled. In the abstract of the presentation, the researchers said that finding the identity of “hundreds of thousands of TOR clients and thousands of hidden services within a couple of months” could be done with less than $3,000 / €2,224.
However, Exodus experts warn that there are many other vectors for de-anonymization, and that the vulnerability they found could be used for remote code execution of a special payload capable of revealing the identity of the user in just a couple of settings.
“Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security. It’s not enough to have faith upon security, rather to have an understanding of it,” reads the post.