Hacking Team's 'Project X' Wants To Spy on Tor Users

Leaked documents show the spy tech company might have a plan to helps cops get around Tor.

Jul 13 2015, 2:29pm

Image: Marga Goudsbloem/Shutterstock

After the Edward Snowden revelations and the rise of deep web marketplaces, more and more people are using the anonymity network Tor to take back their privacy or access hidden sites, sometimes to break the law.

In response to this trend, surveillance tech company Hacking Team let slip last month that they were working on a solution to de-anonymize users of Tor for their customers, which include US law enforcement agencies and authoritarian regimes. After the massive Hacking Team leak last week, details of a work-in-progress system to monitor Tor and other encrypted traffic have emerged.

Called "Project X," Hacking Team's method proposes to re-route a target's internet traffic before it enters the Tor network, so it could be monitored by the company's clients. This is described in two PowerPoint presentations included in the 400 GB Hacking Team breach.

According to the slides, Hacking Team plans to do this by installing hardware at the Internet Service Provider level. Once a target has been identified, Hacking Team waits until the target is not using Tor, but browsing the internet normally. From here, the target's computer is infected by injecting an exploit into the target's browser when they visit a specific website, sort of how Hacking Team's uses porn websites. The slides suggest that a target could be identified via their cookies, though how this would work is unclear.

The malware will modify the target's installation of the Tor Browser.

The idea is that the malware will modify the target's installation of the Tor Browser. The Tor Browser, which is based on Firefox, is possibly the most popular way that people access the Tor network, it gives users all sorts of other security benefits, and routes their traffic through the Tor network.

This modification is done so the Tor Browser, unbeknown to the target, does not join the network directly. Instead, the traffic is first re-routed to a node controlled by Hacking Team's customer.

The target thinks they have connected to Tor—and eventually they do—but before then, Hacking Team's client can see what the target is doing. It essentially monitors the user before he enters the Tor network for real, and the user may not be able tell the difference.

The project is most definitely a work in progress, and comes with a wealth of caveats. One slide suggests that Hacking Team might not yet have actually written the code to modify the Tor environment. Another slide titled "Issue to be addressed" suggests that Hacking Team also hasn't yet found a way of "passively/actively fingerprinting the targets."

"We have not yet worked our way through all 400 gigabytes of data in the Hacking Team data leak," The Tor Project said in an emailed statement.

"In the slides, Hacking Team is just saying that they can attack Tor users by breaking into their computer, as long as they're running something attackable, because Tor isn't."

"Once someone has taken control of your computer, you are in a world of trouble. Our recommendations: Keep your operating system up to date. Use Tor Browser (not just Tor) or Tails, and keep it up to date. Use HTTPS Everywhere. And please don't use Flash."

Tor, in an analysis of the attack, wrote that it "requires Hacking Team (or your government) to already have you in their sights. This is not mass surveillance—this is very targeted surveillance."

"It reads very much as if the customer is in fact tapping everything."

At the moment, it is unclear what the true scale would be. The method relies on installing hardware at an ISP, but the presentation does not make explicit how much traffic the hardware would analyze.

"It reads very much as if the customer is in fact tapping everything," Claudio Guarnieri, a security researcher who has analyzed Hacking Team in the past told Motherboard over encrypted chat.

But without any further details, it is hard to determine the specifics of the attack.

Eric Rabe, Hacking Team's spokesperson, declined to give any details on "Project X."

Last month, when discussing the use of terms such as "mass surveillance" in the title for an upcoming presentation, Hacking Team's CEO wrote to his staff, "Defeating DARKNET encryption on a mass scale (e.g, at the ISP level) is mass monitoring, pal. We we [sic] are launching such a technology."

The presentations aren't dated, but the project has been discussed since at least January of this year, judging by internal emails.

In the end, there is no evidence that "Project X" is functional at this point, and it should probably be treated more as a wish list of what Hacking Team wants to be able to do, rather than what they can actually accomplish. But it would be naive to think that the surveillance industry is going to stop trying to find ways to circumvent Tor.