Windows DRM-Protected Files Used To Decloak Tor Browser Users

An anonymous reader writes from a report via BleepingComputer: Downloading and trying to open Windows DRM-protected multimedia files can deanonymize Tor Browser users and reveal their real IP addresses, security researchers from Hacker House have warned. On Windows, multimedia files encoded with special Microsoft SDK will automatically open an IE window and access a URL to check the file's license. Since this request is sent outside of the Tor Browser and without user interaction, this can be used to ping law enforcement servers and detect the user's real IP address and other details. For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography. When a user would try to view the file, the DRM multimedia file would use Internet Explorer to ping a server belonging to the law enforcement agency. The same tactic can also be used to target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos, and more. A video of the attack is available here.

It's always the pedos

So tired of these stories making reference to pedos. Sure they exist, but every time the govt is caught spying, the media trots out the pedophiles to justify it. Not everyone who views "questionable" content is a crook. I've read plenty of articles, and watched plenty of videos, on how to make bombs and explosives, yet have never actually made one. Nor do I ever plan to do so. Forbidden knowledge and all that.....

Missed something important

[zugmeister]

For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography.

Apparently it's no longer even worth noting that representatives of the US government will run a child porn site offering downloads!
Again.
Yes, "pretending". So a honeypot without honey. That'll get real far now won't it?

Ask OS makers next?

[AHuxley]

Why not just get a list of all this weeks files of interest found on the net. All the files of interest created and shared over a few days.
Give the checksums to all the big US OS brands to add to their new OS AV efforts.
Recored every IP that responds to a checksum as part of anti virus spread tracking if the user "allowed" such self reporting to the OS.
Use the advanced and near instant indexing on most modern OS to report the file when it is opened and have the users OS report that file on the OS brand?
Remove and replace the checksum list for next week so it will not slow any modern computer down.
Any advance user could test the file in any way and find no issue.
A new OS AV update of a few megabytes spread over a few days per week could hold how many new file checksums per week every week?
The OS would do all the reporting on an average user who trusted the OS brand with AV.

Opsec

[Orgasmatron]

If you require perfect opsec all the time, you are doomed eventually.

Also, who the hell does this? The only sane way to use TOR for something dangerous is on a machine that has never and will never be connected to the internet directly or through NAT. And that computer's only network jack should be plugged into a disposable router running a bootable live system that does all-TOR all-day.

In other words, even if the client computer is trying to turn you in, which it is, it shouldn't know anything other than the reserved/private IP that your router gives it and the IP or onion address your browser is visiting.

Re: I'm ok with this behavior in those use cases

Nothing but good happened under the great and benevolent President Barack Hussein Obama, the greatest president this nation ever had, recipient of the Nobel Peace Prize and loved by Europe. Stop spreading lies or we'll track you down and kill you.

Re:Umm... just WMVs?

[sudon't]

The safest solution is to block outgoing traffic by default and whitelist what you want to allow in the firewall.

And avoid both DRM and Windows like the plague, even if you're not doing something that would get you in trouble with your government.

Re: Umm... just WMVs?

[pr0nbot]

Does it also prevent a user process from knowing the real IP address? (I genuinely don't know.) If it didn't, then I suppose the phone-home mechanism would just query the IP and transmit it as data.