A few weeks ago, Hacking Team was bragging publicly about a Tor Browser exploit. We’ve learned some details of their proposed attack from a leaked powerpoint presentation that was part of the Hacking Team dump.
The good news is that they don’t appear to have any exploit on Tor or on Tor Browser. The other good news is that their proposed attack doesn’t scale well. They need to put malicious hardware on the local network of their target user, which requires choosing their target, locating her, and then arranging for the hardware to arrive in the right place. So it’s not really practical to launch the attack on many Tor users at once.
But they actually don’t need an exploit on Tor or Tor Browser. Here’s the proposed attack in a nutshell:
1) Pick a target user (say, you), figure out how you connect to the Internet, and install their attacking hardware on your local network (e.g. inside your ISP).
2) Wait for you to browse the web without Tor Browser, i.e. with some other browser like Firefox or Chrome or Safari, and then insert some sort of exploit into one of the web pages you receive (maybe the Flash 0-day we learned about from the same documents, or maybe some other exploit).
3) Once they’ve taken control of your computer, they configure your Tor Browser to use a socks proxy on a remote computer that they control. In effect, rather than using the Tor client that’s part of Tor Browser, you’ll be using their remote Tor client, so they get to intercept and watch your traffic before it enters the Tor network.
You have to stop them at step two, because once they’ve broken into your computer, they have many options for attacking you from there.
Their proposed attack requires Hacking Team (or your government) to already have you in their sights. This is not mass surveillance — this is very targeted surveillance.
Another answer is to run a system like Tails, which avoids interacting with any local resources. In this case there should be no opportunity to insert an exploit from the local network. But that’s still not a complete solution: some coffeeshops, hotels, etc will demand that you interact with their local login page before you can access the Internet. Tails includes what they call their ‘unsafe’ browser for these situations, and you’re at risk during that brief period when you use it.
Ultimately, security here comes down to having safer browsers. We continue to work onways to make Tor Browser more resilient against attacks, but the key point here is that they’ll go after the weakest link on your system — and at least in the scenarios they describe, Tor Browser isn’t the weakest link.
As a final point, note that this is just a powerpoint deck (probably a funding pitch), and we’ve found no indication yet that they ever followed through on their idea.
We’ll update you with more information if we learn anything further. Stay safe out there!