Doubts cast over FBI 'leaky CAPTCHA' Silk Road rapture
Security bod says affadavit makes no sense, omitted exploitation works
Rather than a conspiracy involving NSA wiretaps, the FBI claims the downfall of Silk Road begun with a leaky CAPTCHA.
Responding to a request for information from former kingpin Ross Ulbricht's defence lawyers, the Feds says the CAPTCHA left a trail from the TOR-protected Silk Road servers to the public Internet. That revealed the location of the drug marketplace, which would otherwise have remained hidden behind TOR, according to an FBI affidavit.
FTI Consulting security man Christopher Tarbell revealed that in June last year during his tenure with the US federal police agency he found the CAPTCHA had leaked header information that revealed the IP address of the website.
"In order for the IP address of a computer to be fully hidden on Tor, however, the applications running on the computer must be properly configured for that purpose. Otherwise, the computer’s IP address may leak through the traffic sent from the computer," Tarbell said in the document [pdf].
"The IP address leak we discovered came from the Silk Road user login interface ... upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets.
"When I typed the Subject IP Address into an ordinary web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared [which] indicated that the Subject IP Address was the IP address of the Silk Road server, and that it was leaking because the computer code underlying the login interface was not properly configured at the time to work on Tor."
The CAPTCHA was the only source of non-Tor packets but Ulbricht had struggled with the complexities of online anonymity, Tarbell claimed. The ex-FBI man said Ulbricht's computer revealed he doused IP-leaking spot fires that saw the website subject to distributed denial of service attacks (DDoS) and migrated to new servers.
But security bod Nicholas Cubrilovic who spent significant time probing Silk Road doubted the bust was as simple as a borked CAPTCHA on the grounds that the anti-spam generator was hosted on the Silk Road server, and alleged the affidavit omitted information regarding more direct application exploitation and fuzzing.
"Anybody with knowledge of Tor and hidden services would not be able to read that description and have a complete understanding of the process that the agents followed to do what they claim to have done," Cubrilovic said.
"Were the Silk Road site still live today, and in the same state it was as in back in June 2013 when the agents probed the server, you wouldn't be able to reproduce or recreate what the agents describe in the affidavit ... [the CAPTCHA] theory does not stand up to scrutiny because the Silk Road image CAPTCHA was hosted on the same server and at the same hidden URL as the Silk Road website.
"The idea that the CAPTCHA was being served from a live IP is unreasonable. Were this the case, it would have been noticed not only by me – but the many other people who were also scrutinizing the Silk Road website. Silk Road was one of the most scrutinized sites on the web, for white hats because it was an interesting challenge and for black hats since it hosted so many Bitcoin (with little legal implication if you managed to steal them)."
Moreover, an externally hosted image would still be routed over Tor and any packet sniffer would be unable to detect the Silk Road's IP address.
Cubrilovic claimed it was more likely the FBI found and exploited a security vulnerability or discovered an information leak in the Silk Road login page and application.
Those vulnerabilities which revealed the public IP address including a var_dump likely from inexperienced live debugging were made public on Stack Exchange -- Cubrilovic suggested the FBI may have taken advantage of these errors to locate Silk Road.
"This would explain why the FBI included the statement about 'typing in miscellaneous entries into the username, password, and CAPTCHA fields', because they needed to enter an exploit command to prompt the server to either dump or produce the IP address variable."
In this scenario, the description of packet sniffers and 'inspecting each packet' is all a distraction from what the FBI really did. Technically, saying that a packet sniffer revealed the true IP address of the server is true – what isn't mentioned is the packet sniffer was picking up responses from a request to the login page that was forcing it to spit out the IP address as part of a bug."