FYI.

This story is over 5 years old.

Tech

The FBI Hacked a Dark Web Child Porn Site to Unmask Its Visitors

The bureau didn’t call it that way, but it used techniques usually associated with hackers.
Image: 255315091/Shutterstock

It's no secret that the FBI hacks into suspects' computers during its investigations. But the bureau is certainly not a fan of publicizing its methods.

A recent case involving two frequent users of an unnamed dark web child pornography site is no different. Last week, two men from New York were indicted on child pornography charges, and in court documents, the prosecutors and the FBI were careful not to reveal too many details about the investigation.

Advertisement

But a passage in the court documents, spotted by Stanford computer science and law expert Jonathan Mayer, reveals that the feds deployed a "Network Investigative Technique" to unmask the two men and obtain their real IP address.

"That's the agency's current euphemism for hacking," Mayer told Motherboard in an email.

"That's the agency's current euphemism for hacking."

While the court document stops short of explaining exactly what hacking technique the FBI used, the description seems to point in the direction of a "watering hole" attack or a "drive-by download," techniques where hackers hijack a website and subvert it to deliver malware to all the visitors.

On February 20, 2015 the FBI seized the server hosting what the FBI refers to only as "Website A," according to court documents. That allowed the bureau to use a Network Investigative Technique, or NIT, to "monitor the electronic communications" of all visitors of the site until March 4.

The NIT was designed was designed to trick the computers of the more than 200,000 visitors of the site into sending the FBI a host of information about the target, such as his or her "actual" IP address, the computer's operating system, and its MAC address, a computer's unique identifier, according to court documents.

The FBI appears to have run another Tor watering hole attack. No other technical explanation for these court filings. Jonathan MayerJuly 14, 2015

Advertisement

Given the way the FBI describes how it unmasked the two suspects, Alex Schreiber and Peter Ferrell, for Mayer, there's no other "technical explanation" that this was a case of hacking and use of malware.

Other law experts consulted by Motherboard agreed with Mayer's interpretation.

"I know that the government doesn't like the term hacking," Brian Owsley, a former magistrate judge and now an assistant professor at UNT Dallas College of Law, told Motherboard in a phone call. "But if it were a non-governmental actor doing it, the government would be calling it hacking."

The FBI declined to comment "because this is an ongoing investigation," a spokesperson told Motherboard.

With one search warrant the FBI essentially got authorization to deliver malware to more than 200,000 users.

The issue is not just an issue of semantics. With a drive-by download hack, every visitor of the hacked site or server gets infected with the malware. So with one search warrant, just like in this case, the FBI essentially got authorization to deliver malware to more than 200,000 users, something that "is getting pretty close to a general warrant" as American Civil Liberties Union principal technologist Christopher Soghoian tweeted last week.

In this case of Website A, as well as in a similar case known as "Operation Torpedo," that was precisely the goal, because visitors of the site were hiding their identities using Tor, the popular anonymization tool that allows dissidents and journalists in repressive regimes to escape government surveillance, but also powers dark web sites such as the now-defunct Silk Road.

Advertisement

Mayer noted that "mass hacking" is legal and in accordance with the Fourth Amendment in "narrow circumstances" related to child pornography. But as a general policy, "hacking an indeterminate number of users, for visiting a website, with one warrant, is understandably controversial."

The problem is that with such a warrant, and using hacking techniques, the FBI can in theory end up infecting innocent internet users. Malware, in other words, doesn't discriminate.

When the FBI seized the dark web hosting provider Freedom Hosting in 2013, for example, its malware likely infected and collected information on some innocent users of legitimate services such as Tormail, just because the site was hosted on the same servers as other illegal websites.

Some judges that don't have technical backgrounds might not realize that when authorizing such warrants.

FBI agents are basically using computer and electronic surveillance "to invade the computer of another individual."

In these cases, FBI agents are basically using computer and electronic surveillance "to invade the computer of another individual," Owsley said. "I just want the judges to know that and I'm not sure that just saying 'Network Investigative Technique' is enough."

Barring more details on "Website A," this might not have happened in this case, but there's another issue, according to Owsley. US criminal law, and in particular to Rule 41 of the Federal Rules of Criminal Procedure, only allows judges from authorizing search warrants if the location of the suspect, or suspect's computer, is within his or her jurisdiction.

In cases such as Operation Torpedo, or the case of "Website A," however, agents nor judges can't know the location of the suspects precisely because they are using Tor. So the end result is that these warrants effectively authorize searches or hacks outside of the judge's jurisdiction. That's why the Department of Justice is lobbying to change the rule and let judges authorize these type of searches when the target's location is unknown.

One thing is for sure, despite claims of going dark and the perils of encryption and tools like Tor, the FBI has plenty of ways to fight criminals hiding in the dark.