Security Experts:

FBI Says Leaky CAPTCHA Was Used to Locate Silk Road Server, Experts Doubtful

U.S. law enforcement authorities claim to have leveraged a leaky CAPTCHA on the login page of Silk Road to identify the real IP address of the server hosting the website, according to court documents filed on Friday by the prosecution.

Silk Road was a notorious online criminal marketplace that leveraged the Tor anonymity network to protect itself and its customers. The website was taken down in October 2013, when 30-year-old Ross W. Ulbricht, believed to be “Dread Pirate Roberts,” the mastermind behind Silk Road, was arrested.

Ulbricht's lawyers have questioned the methods used by the FBI to track down the Silk Road servers and their client so a former agent who was actively involved in the investigation provided a fairly detailed description of the agency's actions.

The defense and many others believe that the NSA might have been somehow involved in the law enforcement operation against Silk Road. However, former FBI agent Christopher Tarbell, who currently conducts cybersecurity investigations at New York-based FTI Consulting, claims that a leaky CAPTCHA helped them track down the Silk Road server's real IP address.

In the court document, Tarbell pointed out that for Tor to provide complete anonymity, the applications running on the computer must be properly configured. In Silk Road's case, the former agent says the problem was a CAPTCHA placed on the login page with the purpose of ensuring that those who logged in to the website were human.

The FBI allegedly entered valid and invalid usernames, passwords and CAPTCHAs, and analyzed the individual packets of data being sent back from the website. That's when they noticed that one of the IP addresses wasn't associated with any Tor nodes like it should have been if it had been configured properly.

"The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal," Tarbell explained. "When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was 'leaking' from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor."

Tarbell emphasized that Silk Road often had IP leakage issues, an aspect also described in the log files found on Ulbricht's computer after his arrest.

While the explanation provided by the former agent might sounds valid, some experts say its not completely accurate. Security researcher Nik Cubrilovic, who often analyzed Silk Road while it was online, is confident that the method described by the FBI would not have worked.

"The idea that the CAPTCHA was being served from a live IP is unreasonable. Were this the case, it would have been noticed not only by me – but the many other people who were also scrutinizing the Silk Road website. Silk Road was one of the most scrutinized sites on the web, for white hats because it was an interesting challenge and for black hats since it hosted so many bitcoin," Cubrilovic explained in a blog post on Sunday. "The second theory, that the agents 'discovered' the real IP address by just looking at packet captures produced by a sniffer is similarly impossible. This also would have been discovered much sooner and noticed by most of the internet very quickly."

A more plausible explanation, according to the researcher, is that the FBI discovered a security exploit or information leak in the login page. This wouldn't be surprising since numerous vulnerabilities were discovered in Silk Road throughout its existence, and the FBI's investigation took place at exactly the same time as various individuals reported finding exploits and information leaks on the website.

"In this scenario, the description of packet sniffers and 'inspecting each packet' is all a distraction from what the FBI really did. Technically, saying that a packet sniffer revealed the true IP address of the server is true – what isn’t mentioned is the packet sniffer was picking up responses from a request to the login page that was forcing it to spit out the IP address as part of a bug," Cubrilovic said. "The FBI have good reason to not mention any bugs or forcing the server to do anything, and to pretend that they simply picked up the IP address from the wire, since such actions would raise concerns about how lawful their actions in uncovering the IP address were."

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.