The FBI released much awaited information Friday detailing how exactly they identified the location of the Silk Road servers, which were hosted through Tor as a hidden service. If done correctly, hosting a website through Tor effectively hides the real address and location of the site, so naturally many theories arose as to how the FBI actually located the Silk Road servers. The main question being, had the NSA secretly cracked Tor’s anonymity features and provided the information to the FBI?
The FBI said in an affidavit filed in the New York court where the alleged Silk Road operator is set to appear that they identified the location of the servers by exploiting a faulty configuration of the Silk Road login and CAPTCHA page. If true, this would indicate that the FBI was able to find the servers without having the ability to crack Tor.
By typing miscellaneous entries into the Silk Road login and CAPTCHA boxes, the FBI claimed that the “anti-abuse” CAPTCHA service “pulled content from the open internet, thus leaking the site’s true location,” which was in Iceland. This eventually led to the arrest of Ross Ulricht, who the FBI alleges was the operator of Silk Road.
But did the FBI really find the true server location by exploiting a faulty CAPTCHA service? That’s the question security researcher Nik Cubrilovic is asking. In a blog post published Sunday, Cubrilovic examined the affidavit released by the FBI and said it’s unlikely that the FBI obtained the information using the methods they described.
“Anybody with knowledge of Tor and hidden services would not be able to read that description and have a complete understanding of the process that the agents followed to do what they claim to have done. Were the Silk Road site still live today, and in the same state it was as in back in June 2013 when the agents probed the server, you wouldn’t be able to reproduce or recreate what the agents describe in the affidavit.”
Cubrilovic goes on to claim that the CAPTCHA was not in fact a third-party hosted CAPTCHA as some are claiming, but it was hosted on the same server and endpoint. Cubrilovic says he spent “a lot of time investigating and testing” the Silk Road site while it was still operational, looking for security holes for “sport.”
“The idea that the CAPTCHA was being served from a live IP is unreasonable,” continued Cubrilovic. “Were this the case, it would have been noticed not only by me – but the many other people who were also scrutinizing the Silk Road website. Silk Road was one of the most scrutinized sites on the web, for white hats because it was an interesting challenge and for black hats since it hosted so many bitcoin (with little legal implication if you managed to steal them).”
Cubrilovic claims he even attempted to recreate and document the same exploit but couldn’t do so.
“No matter how much I intentionally misconfigured the server, or included scripts from clearnet hosts, I never observed traffic from a non-Tor node or a ‘real’ IP address.”
While it’s widely known that the Silk Road servers had their fair share of security issues – and Ulbricht was far from a programmer – Cubrilovic says it’s likely that the FBI is still hiding their true methods used to crack the servers.
“A much more plausible explanation is that the FBI discovered a security exploit or information leak in the login page, in the same way a number of other people discovered similar security holes or information leaks in both the login page and the Silk Road application itself.”
There were at least two incidents where a particularly imminent security vulnerability was discovered and made public on Reddit, back in March 2013 and May 2013.
Cubrilovic notes that the FBI was conducting their investigation into Silk Road during this exact time and could have easily exploited these security holes to find an IP address.
“A more likely scenario for how the FBI uncovered the real IP address would thus be that they either saw the debug information, or – more likely – took advantage of a security vulnerability in the login page and forced the server to output its $_SERVER variable,” which would explain the FBI statements about “typing in miscellaneous entries” into various fields in order to produce the IP.
So why wouldn’t the FBI just detail the exact methods they used to find the IP?
“The FBI have good reason to not mention any bugs or forcing the server to do anything, and to pretend that they simply picked up the IP address from the wire, since such actions would raise concerns about how lawful their actions in uncovering the IP address were. What we do know is that their description of “packet sniffing” for the IP through a “leak” is impossible,” said Cubrilovic.
