Security Experts:

University's Tor Hacking Research Funded by DoD

In response to a motion filed by the defense in the case of an alleged Silk Road 2.0 administrator, a judge has confirmed that US authorities funded Carnegie Mellon University to conduct research on the Tor anonymity network.

In November 2015, the Tor Project accused the FBI of paying Carnegie Mellon University at least $1 million to deanonymize Tor users suspected of conducting criminal activities. It turns out that the research conducted by the university was actually funded by the United States Department of Defense (DoD) and the FBI obtained the information on alleged criminals after serving a subpoena to Carnegie Mellon’s Software Engineering Institute (SEI).

When the news broke in November, court documents showed that an academic institution had helped the FBI identify criminals that had been using Tor to hide their activities. One of the suspects was Brian Richard Farrell from Seattle, who has been charged with conspiracy to distribute cocaine, heroin and methamphetamine through his role as an administrator of the underground drug bazaar Silk Road 2.0.

Authorities said they identified Farrell and other suspects based on IP addresses obtained by a university-based research institute that operated its own computers on the Tor network. Farrell’s defense filed a motion asking the prosecution to provide additional information on the relationship between this research institute and the government, and the methods used to identify the defendant on what was supposedly an anonymous website.

A federal judge denied the motion this week, arguing that since the suspect was identified based only on his IP address, the search of the Tor network had not violated any of his Fourth Amendment rights. The judge pointed out that Tor users should not expect their IP address to remain private considering that the Tor network has vulnerabilities and that users connect with their real IPs to the Tor nodes that should help them remain anonymous.

One important aspect revealed by the judge is that the FBI wasn’t funding the SEI research. Instead, it was funded by the DoD, and the FBI obtained the IPs of crime suspects based on a subpoena.

This is in line with a statement released by Carnegie Mellon University in November in response to accusations that it was paid by the FBI. The law enforcement agency also denied paying the university at the time.

Researchers unmask Tor users

Tor helps users maintain their anonymity online by routing their traffic through a series of relays operated by individuals and organizations across the world. In January 2014, more than 100 devices joined Tor as relays and attempted to deanonymize users who operated and accessed hidden services.

The attack relays were identified by the Tor Project in July 2014 and removed from the network. The Tor Project concluded that these attacks were likely conducted by a group of Carnegie Mellon University researchers who had planned to disclose their findings at the Black Hat USA conference in August 2014.

The results of the research were never made public because the Black Hat talk was canceled due to the fact that the university had not approved the content of the presentation for public release.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.