Security Experts:

University Responds to Accusations of FBI Funding for Tor Hack

Carnegie Mellon University released a statement on Wednesday in response to recent allegations that the organization was paid by the FBI for help in unmasking individuals suspected of using the Tor anonymity network for illegal activities.

CMU was accused last week by the Tor Project that it received at least $1 million to help the FBI deanonymize Tor users. The Tor Project noted that the FBI was unlikely to get a valid warrant for this activity considering that many users were indiscriminately targeted.

In response to recent media reports, which it calls inaccurate, the university has admitted that it receives federal funding, but denies any wrongdoing.

“Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues. One of the missions of the SEI’s CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected,” the university stated.

“In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance,” CMU added.

The organization’s representatives have refused to clarify why the vulnerabilities found by its researchers in the Tor network were not properly reported to the Tor Project.

For its part, the FBI told reporters at Ars Technica that the allegation that it paid CMU $1 million to hack Tor is inaccurate, but the agency refused to provide any details.

Everything started in January 2014 when more than 100 machines joined the Tor network as relays and attempted to deanonymize individuals who operated and accessed hidden services. These relays were only detected by the Tor Project in July 2014, when they were removed from the network and the vulnerability exploited by the attackers was patched.

It was determined at the time that the attack was likely conducted by a team of Carnegie Mellon University researchers who were working on breaking Tor anonymity. The experts had planned on disclosing their findings at the Black Hat security conference, but their talk was pulled because the university said it had not approved the content of the presentation for public release.

Last week, Tor Project Director Roger Dingledine claimed that he had learned from sources in the security community that the FBI paid Carnegie Mellon University at least $1 million to attack hidden services in an effort to find criminals. Court documents found by Vice’s Motherboard showed that at least two suspects were identified by authorities with help from “a university-based research institute” that is presumably CMU.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.