Tails, the operating system favoured by journalists, activists, and Edward Snowden for its high degree of privacy protection, has been shown to have critical vulnerabilities in its code. By exploiting these, attackers could peal away a Tails user's cloak of anonymity. It's just the latest reminder that tools touted as "anonymous" are not infallible.
Exodus Intelligence, the researchers who found the flaws, teased Twitter about their discovery a couple of days ago. Unfortunate timing, considering the latest version of Tails was released yesterday, apparently without a fix for the problem.
“The vulnerability we have found is able to perform remote code execution with a specially crafted payload,” Exodus wrote in a blog post. This, it said, allows a hacker to do pretty much anything they want, such as “unmask a user and show the public IP address in which the user connected from within ‘a couple of seconds.’”
The problem relates to how Tails interacts with the Invisible Internet Project (I2P), a network that can disguise a user's IP address, and in turn their physical location. Tails is the most popular way for people to connect to the I2P network, because the software all comes bundled in one easy-to-use package.
Exodus hasn't yet released more specific details on the exploit, but it has made a video showing what it's capable of.
This sort of hiccup falls into the camp of 'zero-day' vulnerabilities, which are problems with code that are not known even to the developers of the software. Entire companies are dedicated to ratting them out, after which they either inform the people responsible for the weakness, or sell details of how to exploit it to government agencies or others who have enough cash.
But despite probably being able to cash in on this most recent discovery, the researchers are instead collaborating with Tails and I2P to sort out the problem, and will only publish a more detailed analysis of the exploit once it's been fixed.
“We publicized the fact that we’ve discovered these issues for a very simple reason: no user should put full trust into any particular security solution. By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible,” Exodus wrote.
This is the takeaway point from Exodus' work. With all of the media hype around Tails, and anonymity software in general because of the NSA revelations, it's important to remember that this sort of technology is not sacrosanct. In fact, it is incredibly fragile.
That's further highlighted by the other big privacy-tech story this week: the removal of a Black Hat hacking conference talk that was set to send shock waves through the security community. The talk, entitled 'You Don't Have to Be the NSA to Break Tor: Deanonymizing Users of a Budget,' was pulled after lawyers said its content had “not yet been approved” for release. According to its synopsis, it was going to demonstrate how to reveal the identity of a Tor user for as little as $3,000; something that even the most amateurish security hobbyist could probably afford to do.
And it's not the first time the anonymous network has shown cracks. Earlier this year, for instance, the Heartbleed bug had knock-on effects for the Tor, with the Tor Project warning users that they could have been monitored while the bug was effective.
This constant cat-and-mouse game of discovering vulnerabilities and plugging them should remind the privacy conscious that it takes more than simply downloading a bit of software to keep you safe online. As Exodus says, “Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security. It’s not enough to have faith upon security, rather to have an understanding of it.”
Add to that the reminder that even with the best privacy software, it's all too easy to make a human slip-up and reveal your real-life identity. Quite simply, it takes a fair bit of education to maximise your chances of keeping communications secure.
But at least as long as those who discover exploits act altruistically with software developers, the continually evolving patchwork of anonymity tech may just be enough to keep you concealed. For now.